As a part of its ongoing efforts to assess compliance with the HIPAA Privacy, Security, and Breach Notification Rules, the Health & Human Services (HHS) Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates.
Audits are an important compliance tool for OCR that supplement OCR’s other enforcement tools, such as complaint investigations and compliance reviews. These tools enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).
In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.
These audits will primarily be desk audits, although some on-site audits will be conducted. The 2016 audit process begins with verification of an entity’s address and contact information. An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner. OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.
If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publicly available information about the entity to create its audit subject pool. Therefore, an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.
Remember, audits are on the rise because they’re now mandated. While there has been an increase in auditors, the auditing mandate is the driving force behind the increase in audit numbers. This might be a good time to revisit your client’s HIPAA strategies, distribution, and archiving practices.