Phase 2 HIPAA Audits: Strategies for Clinicians

Publication
Article
Psychiatric TimesVol 33 No 10
Volume 33
Issue 10

The next phase of HIPAA compliance audits has arrived. Clinicians who are HIPAA-covered entities-or business associates-would be well served to prepare now.

The next phase of HIPAA compliance audits has arrived. On March 21, 2016, the HHS Office for Civil Rights (OCR) launched phase 2 of its audit program to assess the compliance efforts of “covered entities” and “business associates” that must comply with the HIPAA Privacy, Security, and Breach Notification Rules.1 Most health care providers-essentially those who bill electronically-are covered entities under HIPAA. Covered entities also include health plans such as insurance companies and group benefit plans and clearinghouses. Business associates basically are entities that provide services to or on behalf of covered entities (or other business associates), and those services involve creating, receiving, maintaining, or transmitting protected health information. Clinicians who are HIPAA-covered entities-or business associates-would be well served to prepare now.

[[{"type":"media","view_mode":"media_crop","fid":"52986","attributes":{"alt":"Aleutie © shutterstock.com","class":"media-image media-image-right","id":"media_crop_2534294350418","media_crop_h":"0","media_crop_image_style":"-1","media_crop_instance":"6585","media_crop_rotate":"0","media_crop_scale_h":"121","media_crop_scale_w":"150","media_crop_w":"0","media_crop_x":"0","media_crop_y":"0","style":"font-size: 13.008px; float: right;","title":"Aleutie © shutterstock.com","typeof":"foaf:Image"}}]]

Who will be selected for an audit?

All covered entities and business associates are eligible for an audit, although a smaller sample actually will be audited. Auditees will be selected based on several factors, including type of entity (eg, health care provider, health plan, clearinghouse, business associate), size, and location.

How does OCR select auditees?

To create a diverse pool of potential audit eligible candidates, OCR sends a letter by email to covered entities to verify their contact information followed by a questionnaire.

OCR notifies those selected for an audit by email in a “document request letter” that specifies the documents to be provided, introduces the audit team, explains the audit process, and sets expectations. OCR expects auditees to give auditors their full cooperation and support.

How will OCR conduct the phase 2 audits?

OCR will divide phase 2 audits into 3 rounds. The first 2 rounds will use remote desk audits to examine compliance with the Privacy, Security, or Breach Notification Rule by covered entities (in round 1) and business associates (in round 2). Round 1 has begun already. OCR sent emails initiating desk audits to 167 covered entities on July 11, 2016. Round 2 desk audits of business associates are scheduled to be completed by year end.

Round 1 desk audits so far have focused on:

• Privacy/breach: Notices of privacy practices, the individual right of access, and breach notification

• Security: risk analysis and risk management

• Breach notification: content and timing

Round 3 will target both covered entities and business associates. Audits will be performed onsite, may last 3 to 5 days, and be more comprehensive. An auditee in round 1 or 2 also may be selected for an onsite audit in round 3.

After each round, OCR will provide an auditee with a draft report of the findings and permit the auditee to submit comments within 10 business days. An auditee’s comments will be included in OCR’s final audit report.

What happens after a HIPAA audit?

OCR wants to use the audits to “get out in front of problems before they result in breaches.”2 Yet clinicians should be aware that OCR may still initiate a compliance review if an audit reveals “a serious compliance issue.” (Congress requires OCR to conduct “periodic” HIPAA compliance audits; see 42 U.S.C. § 17940.)

How to prepare for HIPAA audits?

Just like patients nervous to see their physician for fear of what might be found, some clinicians may be wary of an OCR audit. Clinicians should use this time to prepare for the audits, which also will promote and improve their privacy and security compliance efforts. Some tips:

1)Don’t ignore OCR. Leaving the phone off the hook or the spam folder unchecked will not save a clinician from an audit. Clinicians who do not respond to OCR’s information requests may still be selected for an audit and also may become the target of an OCR compliance review.

2)Keep OCR out of your spam folder. OCR will use email for its audit communications and has warned that it expects clinicians to check junk or spam folders for emails from OCR. Clinicians should set OCR as an approved sender so that OCR’s emails are not sent to a spam folder or otherwise blocked.

3)Beware of scams. Clinicians should verify that emails purporting to be from OCR actually are from OCR and are not phishing attempts (double-check that all seemingly audit-related emails, in fact, are from OSOCRAudit@hhs.gov and that the links go to hhs.gov addresses before clicking on them).

4) Develop an audit response plan. Much like having an incident response plan, clinicians should plan their response to an audit. Clinicians may want to identify their resources of both internal and external support, including legal counsel experienced in HIPAA compliance.

5) Conduct a pre-audit review. Clinicians should conduct their own pre-audit reviews in preparation for the audits and correct any gaps in HIPAA compliance. This may be done by using the audit protocols that have been released by OCR, or other audit toolkits from trusted sources.3

6) Revisit the risk analysis. Clinicians should verify that an updated risk analysis has been performed and documented. This includes identifying where health information is located; defining the scope of risk analysis that identifies systems that create, receive, maintain, or transmit protected health information; determining reasonably anticipated threats and vulnerabilities; analyzing impact and likelihood of threats and vulnerabilities; and rating the risk.

7)Update HIPAA documentation. Policies, procedures, and notices of privacy practices should be updated based on the relatively recent changes in HIPAA as well as issues that have arisen for the clinician and the industry as a whole (such as addressing mobile devices and ransomware).

8) Training. Clinicians should be able to demonstrate that their staff has been trained on HIPAA compliance.

9) Don’t keep OCR waiting. OCR may decide not to consider information provided after its deadlines. So, timeliness is critical. This will be challenging, since auditees will have only a short window to provide requested information.

10)Know your business associates. Clinicians will be asked to identify-and provide contact information for-their business associates. Bear in mind that the definition of “business associate” and requirements for business associate contracts changed a few years back. So clinicians should verify that their business associate list is correct and that updated business associate contracts are in place.

11)The Freedom of Information Act (FOIA) may not be your friend. OCR may have to release audit-related documents in response to Freedom of Information requests by the public. Since potentially sensitive information (such as risk analyses and patient lists) may be provided through an audit, clinicians should consult with a lawyer about ways to help protect confidential information from FOIA disclosures.

12)Be current, but not too current. OCR will request documents that are current as of the date of the data request. OCR, however, may look askance at documents developed after the date of the data request.

13)Demonstrate effectiveness. Confidentiality is a critical component of patient care. Clinicians should have a culture of privacy and security compliance and should determine ways to demonstrate their HIPAA compliance to OCR.

14) Not being chosen for a desk audit does not mean a clinician is out of the phase 2 audit woods. OCR is expected to start the round 3 full onsite audits sometime in 2017. OCR will likely target approximately 24 covered entities and business associates to review as part of round 3 (although the number of organizations audited during round 3 is subject to change). Moreover, OCR has indicated that the phase 2 audits are the start of a more permanent audit program, so while the first batch of desk audits is already out the door, clinicians should continue to prepare for the many possible audits to come.

It appears that audits are here to stay. Clinicians can expect additional phases of audits in the future.

Disclosures:

Ms. Williams is Chair, Health Information Practice, Davis Wright Tremaine LLP, Seattle, WA. She reports no conflicts of interest concerning the subject matter of this article.

References:

1. HHS.gov. OCR Launches Phase 2 of HIPAA Audit Program. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/phase2announcement/index.html. Accessed September 13, 2016.

2. HHS.gov. HIPAA Privacy, Security, and Breach Notification Audit Program. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html. Accessed September 13, 2016.

3. HHS.gov. Audit Protocol: Updated April 2016. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol-current/index.html. Accessed September 13, 2016.

Articles in this issue
© shutterstock.com
Introduction: Innovations in Care for People With Schizophrenia Spectrum Disorders
DavidCarillet-Shutterstock.com
Brief Cognitive Behavioral Therapy Interventions for Psychosis
© Lightspring/shutterstock.com
Providing Culturally Competent Care: Understanding the Context of Psychosis
shutterstock.com
Psychotic Disorders in DSM-5: Clinical Implications of Revisions From DSM-IV
psychotic features
Exploring the Psychosis-Depression Interface: Clinical Implications
© shutterstock.com
“Doctor, Am I Gay?” A Primer on Sexual Identities
Outside the Pill Box: The Systems-Based Practice of Psychiatry
Outside the Pill Box: The Systems-Based Practice of Psychiatry
Nonvalidated Pharmacogenetic Tests, Part I: Confessions of an Embarrassed Psychiatry Professor
Nonvalidated Pharmacogenetic Tests, Part I: Confessions of an Embarrassed Psychiatry Professor
Transplant Psychiatry: Psychiatric Care of Organ Donors and Recipients
Transplant Psychiatry: Psychiatric Care of Organ Donors and Recipients
© ISTOKKETE/SHUTTERSTOCK.COM
“A Penny for Your Thoughts”-or What Would Rod Serling Say About E-prescribing?
shutterstock
Psychiatric and Psychosomatic Aspects of Chronic Pain: Clinical Implications, Solutions
Phase 2 HIPAA Audits: Strategies for Clinicians
Phase 2 HIPAA Audits: Strategies for Clinicians
© Jeff Cameron Collingwood/shutterstock.com
Frankly, My Dear, They Don’t Give a Damn
Brain Pathways: New Approaches to Structure-Function Localization
Brain Pathways: New Approaches to Structure-Function Localization
Letter From Luke
Letter From Luke
Related Videos
thankful
retirement
Related Content
FTC

Goodbye Noncompetes: Federal Trade Commission Votes to Ban Noncompete Clauses

April 24th 2024
Article
Site Logo

Discovering Psychiatry throughout the 5 Boroughs

June 19th 2020
Podcast
collaboration

Getting to Know the American Association for Psychiatric Administration and Leadership

August 31st 2023
Article
©Lightspring/Shutterstock

Transcranial Magnetic Stimulation: A Look Under the Hood

January 19th 2018
Podcast
Dear Younger Self: Female Physicians Share Financial Advice

Dear Younger Self: Female Physicians Share Financial Advice

July 13th 2023
Article
job interview

Preparing for a Job Interview: The “10 Knows”

July 11th 2023
Article
© 2024 MJH Life Sciences

All rights reserved.