2015 starts enforcement of the requirements of HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH ACT) by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR). Because these audits will be conducted randomly, making sure your organization is compliant is key.
The audits will cover the entire spectrum of health care entities, including healthcare clearinghouses, healthcare providers, health plans, business associates and vendors. Taking the right steps to ensure your compliance will assist in avoiding fines or other infractions.
Why was the audit program introduced?
Section 13411 of the HITECH Act requires the Department of Health and Human Services to perform audits of covered entity and business associates on a periodic basis to ensure compliance with HIPAA’s Privacy, Security and Breach Notification Rules. As a pilot, the program initially piloted in November 2011 which included 115 covered entities. These audits formulated the basis for the current audit model.
What areas will the audits address?
The audits will focus on completion of recurring risk analyses and follow-up actions required under risk management as it pertains to the HIPAA Security Rule, content of the risk management plan, timeliness of breach notifications, and notice of patient access rights and privacy practices (as required under the HIPAA Breach Notification Rule and the HIPAA Privacy Rule).
Pre-screening surveys of covered entities and business associates that are potential candidates for the audit will be done by OCR through a new portal. All audits will be performed by OCR personnel.
What is the timeline for an audit?
Covered entities selected for an audit will be notified by a letter from OCR introducing the audit contractor, explaining the audit process in detail, the expectations of the audit, and initial document and information requests. The letter provides specific instructions on how and when the information must be returned to the auditor, which is typically ten business days.
Covered entities will be notified between a period of 30 and 90 days prior to the onsite visit. The audit may take between three and ten business days, depending on the auditor’s needs and accessibility to materials and staff. After the audit, a draft final report will be issued, with the covered entity having ten business days to review and provide written comments back to the auditor. A final audit report will take place within a period of thirty business days after the covered entity’s final response is submitted to OCR.
Steps to remain in compliance
These steps should be taken by both covered entities and their business associates to be fully prepared and in compliance with HIPAA guidelines:
- Have a written and signed business associate agreement in place from all entities that are considered a business associate that are in line with the changes initiated under the Final Rule.
- Have the form of Notice of Privacy Practices to every patient with the NPP updated to reflect the changes under the HITECH Act Omnibus Final Rule, which was released in January 2013.
- Conduct an accurate and full assessment of all risks that may affect electronic protected health information (ePHI).
- Implement all physical, administrative and technical safeguards required to protect ePHI.
- Have formal procedures and policies in place for the privacy and security of all protected health information.
- Make sure all employees are thoroughly trained on the organization’s procedures, privacy and security policies.
- Make sure all documentation of all training, disclosure logs, documentation of breaches, documentation of analyses, and other documentation required under HIPAA is up-to-date and readily accessible.
Knowing the process of an OCR audit provides insight and knowledge on how to remain compliant. This is an important element of compliance within your organization and should always remain a top priority.