HIPAA Phase 2 Audits Are Underway – Is Your Audit Plan in Place?
On March 21, 2016, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”), announced the launch of the 2016 Phase 2 Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Audit Program (“Phase 2 Audit Program”). The Phase 2 Audit Program will review the policies, procedures, and other activities of covered entities and business associates for compliance with the HIPAA Privacy, Security and Breach Notification Rules. Every covered entity and business associate is eligible to be audited.
Pre-Audit: Information-Gathering Stage
Before deciding which entities will be audited, OCR is engaging in an information-gathering stage. Typically, this stage is triggered by an e-mail letter addressed to the individual at the institution who is responsible for HIPAA compliance according to OCR’s records. This initial letter asks the entity to verify contact information. A sample copy of this initial communication is available at http://tinyurl.com/gs7gpje.
After entity contact information is obtained, OCR is e-mailing covered entities and business associates a pre-audit questionnaire. Through the questionnaire, OCR will gather data about the size, type, and operations of potential auditees. This data will be used by OCR to develop pools of potential auditees. OCR has stated that it is seeking to audit a wide range of health care providers, health plans, health care clearinghouses and business associates, factoring information such as size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals. A sample copy of the pre-audit questionnaire is available at http://tinyurl.com/gsu48rz.
This information-gathering stage is already underway at many institutions and it is likely that your institution has already received these initial communications.
Selection for Audit
OCR will select auditees by random sampling from the audit pools. OCR has not indicated how many entities it intends to audit. If selected for an audit, OCR will notify you -- the covered entity or business associate -- in writing. Typically, the letter will be addressed to the contact person identified by your institution in response to the OCR’s initial information-gathering letter. Phase 2 Audits move very quickly, so it’s important that you are notified as soon as the letter arrives.
Phase 2 Audit
OCR will conduct both desk audits and on-site audits. OCR will conduct the desk audits first, in two separate rounds. A round of on-site audits will follow the desk audits. If you are selected for a desk audit, it does not mean that you will also be selected for an on-site audit, though OCR states it is possible that an entity may be subject to both types of audit.
Entities selected for a desk audit will receive a document request letter from OCR. For desk audits, you will have 10 business days to submit the information requested by OCR through a secure online portal.
According to OCR, the on-site audits will examine a “broader scope of requirements from the HIPAA Rules than desk audits.” On-site audits will be conducted over a period of three to five days.
To aid covered entities and business associates with understanding what to expect from a Phase 2 Audit, OCR has released Audit Protocols. The protocols are broken down into the three (3) primary subject areas for HIPAA audits: privacy, security and breach notification. The Protocols are available at http://tinyurl.com/hxskvbo.
Draft Findings, Audit Reports, and Further Investigation
After the conclusion of an audit (whether a desk audit or on-site audit), OCR will provide the auditee with draft findings. The auditee will then have 10 business days to submit any written comments to OCR. OCR will complete an audit report within 30 business days of receiving the auditee’s response. Although OCR has indicated that the audits are primarily a compliance improvement activity, OCR may further investigate a “serious compliance issue.”
OCR expects to complete desk audits before the close of calendar year 2016. OCR has not specified when it expects to complete on-site audits.
The Time to Prepare for a HIPAA Audit is Now
Ten business days is not a significant response time, especially if several days are spent trying to organize the response team and/or to locate requested documents. Colleges and universities that have covered entity and/or business associate components should have a HIPAA audit plan in place before being selected for an audit. Even if your institution is not selected for a Phase 2 Audit, the plan will provide a roadmap for subsequent HIPAA audits and for general HIPAA compliance.
A HIPAA audit plan should include at least the following elements:
- Understand and identify each covered entity and business associate component of your college or university. This may pose a significant challenge as your institution may be conducting many health care activities across multiple departments. Some of these health care activities may be subject to HIPAA, while others may not. Knowing the scope of your HIPAA-covered activities is critical. In December 2015, the OCR entered into a $750,000 settlement with the University of Washington Medicine (“UWM”). One basis for the settlement was that UWM did not ensure that all of its affiliated entities were conducting HIPAA Security Rule-required risk assessments.
- Identify your HIPAA audit response team. Know who will (i) be the key point of contact with OCR and lead the team, and (ii) be a part of the response team and support the point person (e.g., assist in gathering and assembling documents). Given that addressing the audit may encompass significant portions of the team members’ time, you may want to consider who will fulfill their job functions while they are otherwise engaged with the audit response. Your team may need to consist of individuals from several departments.
- Prepare a list of each of your college’s or university’s business associates and their contact information. OCR has provided a template that you may (but are not required to) use, available at: http://tinyurl.com/hjdnhes.
- Locate key HIPAA documents, including: (i) executed business associate agreements; (ii) HIPAA policies, procedures and forms; and (iii) Security Rule risk assessments. Identify and address any compliance gaps.
- Conduct a self-audit. The HIPAA Audit Protocols released by OCR are a valuable tool for conducing your own audit, as they are OCR’s HIPAA audit road map.
The Phase 2 Audit Program will not be the end of HIPAA enforcement or HIPAA audits. The Health Information Technology for Economic and Clinical Health (“HITECH”) Act required OCR to establish a permanent HIPAA audit program. OCR will analyze and evaluate the results of the Phase 2 Audit Program to help it finalize such a program. In addition to the audits, OCR has been active in its HIPAA enforcement. Through May 31, OCR has collected more than $8.6 million from six (6) public settlements in 2016. Maintaining a comprehensive HIPAA compliance program is essential.
If you have any questions about the Phase 2 Audit Program, HIPAA audit preparation or response, or HIPAA compliance generally, please contact the author or any member of the Saul Ewing Higher Education Practice.
This article appears in the Summer 2016 edition of Saul Ewing’s Higher Education Highlights newsletter. Click here to see the complete newsletter.