Organizations Facing HIPAA Audits Notified'Desk Audits' Will Focus on Only a Few Requirements
The Department of Health and Human Services' Office for Civil Rights revealed July 12 that it has notified 167 covered entities that they have been selected for phase two of the HIPAA audit program. They now must submit requested documentation for a remote "desk audit" within just 10 business days.
During the spring, OCR sent letters by email to a pool of potential candidates to confirm contact information for possible audits. Now, selected covered entities have received notification letters regarding their inclusion in the desk audit portion of the audit program. "Letters were delivered on Monday, July 11, 2016, via email to 167 health plans, healthcare providers and healthcare clearinghouses," OCR says.
Desk audits of business associates will follow this fall, OCR says. And the HIPAA-enforcement agency plans to eventually conduct a limited number of in-person audits (see OCR's Deven McGraw on HIPAA Audit Preparation).
The OCR desk audits will examine compliance with the HIPAA privacy, security and breach notification rules. OCR says it will specifically be examining documentation of compliance with only these HIPAA requirements:
- Privacy Rule: Notice of privacy practices; provision of electronic notice; patient right to access designated record set.
- Breach Notification Rule: Timeliness of notification and content of notification.
- Security Rule: Security management processes, including risk analysis and risk management.
OCR says it selected these provisions for focus during the desk audits "because our pilot audits, as well as our enforcement activities, have surfaced these provisions as frequent areas of noncompliance." In the pilot audit program conducted in 2011 and 2012, OCR examined 115 covered entities on site for a range of compliance issues.
The HIPAA enforcement agency notes that entities received two email communications. The agency advises entities to "monitor their spam filtering and junk mail folders" for email from OCR.
One email includes a notification letter providing instructions for responding to the desk audit document request, the timeline for response, and a unique link for each organization to submit documents via OCR's secure online portal, the agency says. A second email contains an additional request to provide a listing of the entity's business associates and also provides information about an upcoming webinar, where OCR will explain the desk audit process for auditees and take their questions.
Entities have until July 22 to respond to the request for HIPAA compliance documentation.
"If you have received the desk audit request - a very small percentage of the folks who provided contact info - you are in for a real challenge," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "The 10-day turnaround is very fast, and the requests are very document intensive."
While OCR says it reserves the right to take enforcement action based on audit results, Nahra notes, "it has also made clear that the purpose of the audit program is guidance and education, not enforcement. Enforcement will be limited - if any happens at all from the audits - only in extreme/unusual situations where there is a total failure of compliance. No one should look forward to the audit, but the major challenge will be timely responses, not any resulting enforcement."
With the audits underway, Nahra suggests that all healthcare entities and business associates examine their own compliance efforts. "This is a good reminder to get your policies and procedures in place - OCR asks for many of the same documents in an actual investigation, so having these ready now will help you both for an audit and for the more threatening event of an actual investigation. "
Bob Chaput, CEO of the consulting firm Clearwater Compliance, advises organizations to "complete a bona fide, comprehensive NIST SP800-39 Tier 3 risk assessment - that's what OCR is seeking."