A few weeks ago, the National Law Review reported that “covered entities” under HIPAA (health providers, health plans or clearinghouses) are now receiving pre-audit screening surveys from the Department of Health and Human Services’ Office of Civil Rights (OCR). These surveys are part of the selection process for which organizations will be targeted for upcoming audits on their compliance with the HIPAA Privacy, Security and Breach Notification Standards. These are technically called Phase 2 Audits.
Should you be concerned?
There are two good reasons why health care providers should be concerned. Back in 2011 and 2012, OCR hired KPMG, one of the world’s largest audit, tax and advisory firms, to develop an audit tool and conduct onsite audits of 115 organizations.
- 90% of the audited entities were not fully compliant.
- Health care providers made up 65% of the total organizations audited.
- Almost 80% of audited health care providers lacked complete or accurate risk assessments.
These audits highlighted the fact that smaller organizations struggled with complying with HIPAA, with some organizations totally unaware of some or all of the HIPAA requirements.
These new audits will be more comprehensive and include business partners!
These new audits will differ in many aspects from the first audit. While the older audit focused on covered entities only, Phase 2 Audits will include business associates and be a combination of comprehensive onsite inspections and “desk audits,” where OCR will determine an organization’s level of HIPAA compliance based on its review of requested documents.
Performance of a HIPAA Risk Assessment is a MUST!
These desk audits will focus on assessing compliance with the HIPAA Security Rule, specifically whether the organization has performed a thorough risk assessment and remediated the finding in a timely manner. Also, desk audits will focus on selected HIPAA provisions and other HIPAA compliance “weak spots” identified in the earlier 2011-2012 audits.
If YOU receive notice of a HIPAA audit
If you receive a letter from OCR telling you that your organization has been selected for an audit, you will have only two weeks to respond to the document request. The documents must be current and on time. Late submissions will not be considered. OCR will assess HIPAA compliance solely on the submitted documents. Organizations will not have the opportunity to clarify their responses or provide additional information. Failure to respond to an audit request may prompt OCR to refer the matter for regional compliance review.
What OCR will request from YOU
When beginning its audit, OCR will request the following from you:
- Recently completed comprehensive risk assessment.
- Recent management action plan with a reasonable timeline for completion as well as documented remediation activities.
- A complete inventory of business associates.
- Documentation that supports the organization’s decision to not implement addressable HIPAA Security implementation standards.
- An implemented breach notification policy that accurately reflects the Breach Notification Standards and requirements.
- A compliant and revised Notice of Privacy Practices BEYOND the usual website privacy notice and that reflects the HIPAA Omnibus Final Rule changes.
- Documentation that demonstrates reasonable and appropriate safeguards for protected health information (PHI) regardless of its form.
- Documentation that demonstrates that workforce members have received HIPAA training that is necessary or appropriate to perform his/her job duties.
- An inventory of information system assets, including mobile devices (whether corporate-owned or personal) that have access to PHI.
- Appropriate encryption technology for systems and software that transmit electronic PHI or a risk assessment that supports the organization’s choice not to use encryption.
- A facility security plan for each physical location that stores or has access to PHI, as well as a security policy that requires a physical security plan.
- HIPAA privacy and security policies.
IF YOU do not pass HIPAA muster – INVESTIGATION AND POSSIBLE PENALTIES
If OCR identifies major compliance issues, it will open an investigation which may result in settlements and financial penalties.
WHAT YOU SHOULD DO NOW!
In order to prepare for the possibility of a HIPAA audit, you must assess your organization’s HIPAA compliance posture and include the following activities as part of that assessment:
- Review your organization’s most recently completed comprehensive risk assessment. If the risk assessment is over one year old, conduct another risk assessment as soon as possible.
- Ensure that issues identified in your organization’s most recent risk assessment and prioritized in its management action plan have been addressed and documented. Also, make sure that your organization has reasonable timelines for completing any outstanding findings.
- Maintain a complete inventory of business associates.
- Ensure that your organization documents its decision to not implement addressable Security implementation standards.
- Demonstrate that your organization has tested its incident response and breach notification processes.
- Ensure that your organization has up-to-date and recently reviewed HIPAA Privacy, Security and Breach Notification policies and procedures that reflect the latest HIPAA Omnibus Final Rule changes.
- Engage experts to ensure your organization’s compliance. It’s better to pay a company to identify your organization’s HIPAA compliance weaknesses and develop a remediation plan than have those weaknesses show up in an audit and in the press and receive fines and penalties for noncompliance.
Don’t play with fire!
To not do the above is playing with fire. It is also against the law.
HIPAA compliance must be taken seriously. There is a new environment out there and it is coming your way!
Don’t risk your business, career or reputation.