Now that the Department of Health and Human Services has announced that it will soon begin the next round of HIPAA compliance audits, organizations need to take specific steps to prepare in case they're chosen for scrutiny, says attorney Robert Belfort, a regulatory specialist.
"Preparation has hopefully been going on for a while," Belfort notes, because HHS' Office for Civil Rights has been signaling for the last two years that it plans to resume the audits. "But, at this point, there are a few different steps that organizations can and should be taking," he says in an interview with Information Security Media Group.
For example, covered entities and business associates should conduct an internal gap analysis of their HIPAA compliance programs. Any such analysis should include "a crosswalk between an organization's existing policies, practices and procedures ... and the HIPAA requirements," he says.
"If there are gaps, such as no policies in certain areas, or a [security] risk analysis hasn't been done recently, then efforts can be made to fill those gaps hopefully before any audit commences."
Another critical step, Belfort says, is to clearly designate who should take the lead role in responding to an audit inquiry. "There should be one point person who is designated with authority to interface with OCR," he says. "That person should have access to other staff in the organization who may be necessary to respond to the audit requests. You don't want to be scrambling to figure out what your organizational model is for handling the audit on the day when the request comes in, because OCR has suggested there will be a relatively short turnaround time for producing documents."
On March 21, OCR announced that phase two of the audits will launch soon, focusing on about 200 remote "desk audits" of covered entities and business associates, to be completed by the end of December, followed by a handful of onsite audits later.
HHS says the phase two audits "are primarily a compliance improvement activity ... to help OCR better understand compliance efforts with particular aspects of the HIPAA Rules." However, the agency adds that a poor audit could result in additional scrutiny. "Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate," the office warns.
Belfort says that if OCR finds, for example, "that an organization never did a risk analysis, I don't think it will view that solely as an educational opportunity. ... If organizations have clearly ignored certain requirements - they haven't done a risk analysis, never issued privacy notices to patients, have no policies in place to handle patient requests for records - I think those clear violations will be what tends to push things over to the enforcement side."
In the interview (see audio link below photo), Belfort also discusses:
- Why the compliance audits could result in OCR resolution agreements and settlements containing financial penalties for some auditees;
- The differences between what OCR will likely inspect during remote "desk" audits versus more comprehensive onsite audits;
- The likelihood of OCR launching a permanent HIPAA compliance audit program.
Belfort, a partner in the healthcare practice of Manatt, Phelps & Phillips LLP, has more than 20 years of experience representing healthcare organizations on regulatory compliance and transactional matters. He advises hospitals, health insurers and medical groups on issues involving HIPAA, privacy, fraud and abuse, managed care and accountable care.