On March 21, 2016, the HHS Office for Civil Rights (OCR) reported that Phase 2 of its HIPAA Privacy, Security, and Breach Notification Audit Program has begun. The HIPAA audit program is a result of the Health Information Technology for Economic and Clinical Health Act (HITECH), which requires the OCR to periodically audit both covered entities and business associates in an effort to evaluate their HIPAA compliance.
Phase One of the audits, implemented in 2011 and 2012, assessed covered entities. The OCR used this stage to gather information on the auditing process, such as what improvements they could make in their technical support, and to assess the efficacy of different corrective actions insofar as their ability to improve compliance. Last year, the OCR released a compliance report entailing the timeline of the audits, the selection process, and a breakdown of the audit testing procedure. Utilizing the experiences and results from the first phase, Phase Two will analyze the compliance of covered entities as well as business associates.
The OCR has already begun sending questionnaires to potential auditees regarding their size, the type of the potential subject, and their operations, as well as verifying their contact information. They will use the information from the questionnaires to select a diverse cross-section of candidates. It’s important to note that any covered entity or business associate can be chosen, even if they do not respond to the OCRs pre-audit questionnaire. However, covered associates or business associates who are involved in a current OCR investigation or review will not be selected during Phase Two.
Phase Two will involve both desk audit and on-site audits. Both will assess the compliance of subjects with the HIPAA Privacy, Security, and Breach Notification Rules. In the case of a desk audit, once a subject has begun the auditing process, they have 10 business days to supply any requested documentation. The documentation will be audited and findings will be drafted and given back to the subject of the audit, who will have another 10 days to respond to the audit if they so choose.
On-site audits entail a slightly different process. Auditors will schedule an appointment with the subject and provide them with details about the auditing process. The audit typically lasts three to five days. After the findings are given back to the subject, the auditee will have 10 days to review the audit and respond to it with their comments. Both desk and on-site audits will be completed by the end of December 2016.
After the audits are completed, OCR will aggregate the results in an effort to better understand compliance techniques, and to develop tools that will aid industry leaders in preventing breaches and in completing compliance self-evaluations. OCR intends for the audits to lead to more beneficial future practices and to expose the reasons behind security breaches. However, in the event that serious compliance issues are indicated in an individual audit, a compliance review may be initiated.
Let ChartRequest help you navigate and manage the disclosure components of the audit with a full accounting of disclosures of all medical records through one centralized platform. Get complaint and be prepared for OCR Audits today with assistance from ChartRequest!