Phase 2 HIPAA Audits: Strategies for Clinicians

October 19, 2016
Rebecca L. Williams, RN, JD
Volume 33, Issue 10

The next phase of HIPAA compliance audits has arrived. Clinicians who are HIPAA-covered entities-or business associates-would be well served to prepare now.

The next phase of HIPAA compliance audits has arrived. On March 21, 2016, the HHS Office for Civil Rights (OCR) launched phase 2 of its audit program to assess the compliance efforts of “covered entities” and “business associates” that must comply with the HIPAA Privacy, Security, and Breach Notification Rules.1 Most health care providers-essentially those who bill electronically-are covered entities under HIPAA. Covered entities also include health plans such as insurance companies and group benefit plans and clearinghouses. Business associates basically are entities that provide services to or on behalf of covered entities (or other business associates), and those services involve creating, receiving, maintaining, or transmitting protected health information. Clinicians who are HIPAA-covered entities-or business associates-would be well served to prepare now.

[[{"type":"media","view_mode":"media_crop","fid":"52986","attributes":{"alt":"Aleutie © shutterstock.com","class":"media-image media-image-right","id":"media_crop_2534294350418","media_crop_h":"0","media_crop_image_style":"-1","media_crop_instance":"6585","media_crop_rotate":"0","media_crop_scale_h":"121","media_crop_scale_w":"150","media_crop_w":"0","media_crop_x":"0","media_crop_y":"0","style":"font-size: 13.008px; float: right;","title":"Aleutie © shutterstock.com","typeof":"foaf:Image"}}]]

Who will be selected for an audit?

All covered entities and business associates are eligible for an audit, although a smaller sample actually will be audited. Auditees will be selected based on several factors, including type of entity (eg, health care provider, health plan, clearinghouse, business associate), size, and location.

How does OCR select auditees?

To create a diverse pool of potential audit eligible candidates, OCR sends a letter by email to covered entities to verify their contact information followed by a questionnaire.

OCR notifies those selected for an audit by email in a “document request letter” that specifies the documents to be provided, introduces the audit team, explains the audit process, and sets expectations. OCR expects auditees to give auditors their full cooperation and support.

How will OCR conduct the phase 2 audits?

OCR will divide phase 2 audits into 3 rounds. The first 2 rounds will use remote desk audits to examine compliance with the Privacy, Security, or Breach Notification Rule by covered entities (in round 1) and business associates (in round 2). Round 1 has begun already. OCR sent emails initiating desk audits to 167 covered entities on July 11, 2016. Round 2 desk audits of business associates are scheduled to be completed by year end.

Round 1 desk audits so far have focused on:

• Privacy/breach: Notices of privacy practices, the individual right of access, and breach notification

• Security: risk analysis and risk management

• Breach notification: content and timing

Round 3 will target both covered entities and business associates. Audits will be performed onsite, may last 3 to 5 days, and be more comprehensive. An auditee in round 1 or 2 also may be selected for an onsite audit in round 3.

After each round, OCR will provide an auditee with a draft report of the findings and permit the auditee to submit comments within 10 business days. An auditee’s comments will be included in OCR’s final audit report.

What happens after a HIPAA audit?

OCR wants to use the audits to “get out in front of problems before they result in breaches.”2 Yet clinicians should be aware that OCR may still initiate a compliance review if an audit reveals “a serious compliance issue.” (Congress requires OCR to conduct “periodic” HIPAA compliance audits; see 42 U.S.C. § 17940.)

How to prepare for HIPAA audits?

Just like patients nervous to see their physician for fear of what might be found, some clinicians may be wary of an OCR audit. Clinicians should use this time to prepare for the audits, which also will promote and improve their privacy and security compliance efforts. Some tips:

1)Don’t ignore OCR. Leaving the phone off the hook or the spam folder unchecked will not save a clinician from an audit. Clinicians who do not respond to OCR’s information requests may still be selected for an audit and also may become the target of an OCR compliance review.

2)Keep OCR out of your spam folder. OCR will use email for its audit communications and has warned that it expects clinicians to check junk or spam folders for emails from OCR. Clinicians should set OCR as an approved sender so that OCR’s emails are not sent to a spam folder or otherwise blocked.

3)Beware of scams. Clinicians should verify that emails purporting to be from OCR actually are from OCR and are not phishing attempts (double-check that all seemingly audit-related emails, in fact, are from OSOCRAudit@hhs.gov and that the links go to hhs.gov addresses before clicking on them).

4) Develop an audit response plan. Much like having an incident response plan, clinicians should plan their response to an audit. Clinicians may want to identify their resources of both internal and external support, including legal counsel experienced in HIPAA compliance.

5) Conduct a pre-audit review. Clinicians should conduct their own pre-audit reviews in preparation for the audits and correct any gaps in HIPAA compliance. This may be done by using the audit protocols that have been released by OCR, or other audit toolkits from trusted sources.3

6) Revisit the risk analysis. Clinicians should verify that an updated risk analysis has been performed and documented. This includes identifying where health information is located; defining the scope of risk analysis that identifies systems that create, receive, maintain, or transmit protected health information; determining reasonably anticipated threats and vulnerabilities; analyzing impact and likelihood of threats and vulnerabilities; and rating the risk.

7)Update HIPAA documentation. Policies, procedures, and notices of privacy practices should be updated based on the relatively recent changes in HIPAA as well as issues that have arisen for the clinician and the industry as a whole (such as addressing mobile devices and ransomware).

8) Training. Clinicians should be able to demonstrate that their staff has been trained on HIPAA compliance.

9) Don’t keep OCR waiting. OCR may decide not to consider information provided after its deadlines. So, timeliness is critical. This will be challenging, since auditees will have only a short window to provide requested information.

10)Know your business associates. Clinicians will be asked to identify-and provide contact information for-their business associates. Bear in mind that the definition of “business associate” and requirements for business associate contracts changed a few years back. So clinicians should verify that their business associate list is correct and that updated business associate contracts are in place.

11)The Freedom of Information Act (FOIA) may not be your friend. OCR may have to release audit-related documents in response to Freedom of Information requests by the public. Since potentially sensitive information (such as risk analyses and patient lists) may be provided through an audit, clinicians should consult with a lawyer about ways to help protect confidential information from FOIA disclosures.

12)Be current, but not too current. OCR will request documents that are current as of the date of the data request. OCR, however, may look askance at documents developed after the date of the data request.

13)Demonstrate effectiveness. Confidentiality is a critical component of patient care. Clinicians should have a culture of privacy and security compliance and should determine ways to demonstrate their HIPAA compliance to OCR.

14) Not being chosen for a desk audit does not mean a clinician is out of the phase 2 audit woods. OCR is expected to start the round 3 full onsite audits sometime in 2017. OCR will likely target approximately 24 covered entities and business associates to review as part of round 3 (although the number of organizations audited during round 3 is subject to change). Moreover, OCR has indicated that the phase 2 audits are the start of a more permanent audit program, so while the first batch of desk audits is already out the door, clinicians should continue to prepare for the many possible audits to come.

It appears that audits are here to stay. Clinicians can expect additional phases of audits in the future.

Disclosures:

Ms. Williams is Chair, Health Information Practice, Davis Wright Tremaine LLP, Seattle, WA. She reports no conflicts of interest concerning the subject matter of this article.

References:

1. HHS.gov. OCR Launches Phase 2 of HIPAA Audit Program. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/phase2announcement/index.html. Accessed September 13, 2016.

2. HHS.gov. HIPAA Privacy, Security, and Breach Notification Audit Program. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html. Accessed September 13, 2016.

3. HHS.gov. Audit Protocol: Updated April 2016. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol-current/index.html. Accessed September 13, 2016.