HIPAA Audits Have Arrived

• OCR has begun conducting audits to ensure compliance with privacy, security & business associate requirements
• OCR will contact covered entities to verify information and obtain information regarding the entity’s business associates
• Covered entities should take steps now to ensure that they are in compliance with all HIPAA requirements

Phase 2 of the Audit Program. Yesterday, the U.S. Department of Health & Human Services (“HHS”) Office of Civil Rights (“OCR”) announced the long-awaited Phase 2 of the HIPAA Audit Program. Of those covered entities selected for an audit, OCR will conduct both a desk audit and an onsite audit for both the covered entity and its business associates.  These audits will examine compliance with specific requirements of the HIPAA privacy, security and breach notifications rules and covered entities must respond to desk audits within 10 business days. All desk audits will be completed by the end of December 2016.  The next set of audits will be conducted onsite and will examine a broader scope of HIPAA requirements.  At the time of scheduling the onsite audit, OCR will provide more information about the onsite audit process and expectations.  Onsite audits will be conducted over three to five days depending upon the size of the covered entity.

What Covered Entities Should Do Now. Given these impending audits, HIPAA compliance is more critical than ever.  Covered entities should take time now to ensure all HIPAA requirements are being met, policies are in place, business associate information is readily available, and business associate agreements are executed.  Failure to do so could lead to significant consequences later.  (For example, see here and here). As described in OCR’s press release, OCR intends to initiate compliance reviews and further investigate any covered entities that are discovered to have serious issues with HIPAA compliance.

Information from OCR. Please see OCR’s website where it answers the following questions:

• When Will the Next Round of Audits Commence?
• Who Will Be Audited?
• On What Basis Will Auditees Be Selected?
• How Will the Selection Process Work?
• How Will the Audit Program Work?
• What if an Entity Doesn’t Respond to OCR’s Requests for Information?
• What is the General Timeline for an Audit?
• What Happens After an Audit?
• How Will Consumers Be Affected?
• Will Audits Differ Depending on the Size and Type of Participants?
• Will Auditors Look at State-Specific Privacy and Security Rules in Addition to HIPAA’s Privacy, Security, and Breach Notification Rules?
• Who is Responsible for Paying the On-Site Auditors?

Initial Contact by OCR. Phase 2 of the HIPAA Audit Program will begin by OCR emailing covered entities to obtain and verify their contact information to determine which are appropriate to be included in the audit pool.  OCR has cautioned that if a covered entity’s spam filtering and virus protections are enabled, OCR expects the provider to periodically check junk or spam folders for emails from OCR.  Once entity contact information is obtained, OCR will send a questionnaire to the covered entity to gather data about its size, type, and operation.  This questionnaire will ask covered entities to identify their business associates, and OCR encourages covered entities to have their business associates’ contact information already prepared, so they can quickly respond to OCR’s request.  After this questionnaire, OCR will select a random sample of entities for the audit pool, and selected covered entities will be notified of their participation. 

Further Questions? If you would like assistance in responding to a HIPAA audit, or you would like assistance in ensuring your organization is prepared for OCR’s review, please contact Jacqueline Anderson or Aric Martin.

Please note that this alert is intended to be informational only, and is not intended to be nor should it be relied upon as legal advice. Rolf Goffman Martin Lang LLP will not be responsible for any actions taken or arrangements structured based upon this alert. The receipt of this alert by an organization that is not a current client of Rolf Goffman Martin Lang LLP does not create an attorney-client relationship between the recipient and the law firm.

©2016. Rolf Goffman Martin Lang LLP. All Rights Reserved.