Covered entities and business associates need to prepare for a new round of HIPAA audits.
Compliance and privacy officers need to be aware that the Department of Health and Human Services Office for Civil Rights (OCR) is beginning a new round of HIPAA audits. OCR will audit both covered entities’ and business associates’ policies and procedures relating to greater transparency for individuals whose protected health information may be at risk.
As part of this audit program phase, OCR is developing enhanced sets of instructions and pursuing a new strategy to test the efficacy of desk audits used to evaluate the HIPAA-regulated industry compliance efforts. The audits are intended to “enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits.” OCR intends to develop tools and guidance to assist the industry with its compliance efforts.
Both desk and on-site audits will be involved and every covered entity and business associate is eligible for an audit.
Desk Audits
In the coming months, OCR will notify selected covered entities by e-mail about their selection for desk audits. Notifications will introduce audit teams, explain audit processes, and discuss OCR’s expectations in more detail. They will also include initial documentation requests.
After documentation is received, auditors will review information submitted and provide auditees with draft findings. Auditees will have 10 business days to review and return written comments to auditors. Auditors will complete final audit reports for each entity within 30 business days after auditees’ responses, and OCR will share final reports with audited entities.
While conducting desk audits of covered entities, OCR will engage in similar notifications and document-request processes for desk audits of business associates. OCR will share final reports with audited business associates. All desk audits are expected to be completed by the end of this year.
On-Site Audits
Similarly, entities will be notified via e-mail if selected for on-site audits. The auditors will schedule entrance conferences and provide more information about audit expectations. On-site audits will be conducted over three to five days, will be more comprehensive than desk audits, and will cover a wider range of requirements from the HIPAA rules.
Robert Hawkins, compliance officer at Woman’s Hospital, Baton Rouge, La., says that the audits are intended to help OCR better assist the industry with its compliance efforts, but he adds that the process “could be expensive in time and penalties for those entities that are selected for review.”
If an audit finds a serious compliance issue, OCR is likely to follow up with a further investigation, Hawkins says. “Covered entities should hope they are not chosen for audit, but in the meantime, they should redouble their HIPAA compliance efforts to minimize the risk of adverse findings if they are selected,” Hawkins says.
J. Stuart Showalter, JD, MFS, is a contributing editor for HFMA.
Interviewed for this article: Rob Hawkins, FHFMA, is compliance officer, Woman’s Hospital, and is a member of HFMA’s Louisiana Chapter.