HIPAA Audits Round 2: OCR’s Cards Revealed
In February, the Office for Civil Rights (OCR) announced it would begin a second round of HIPAA compliance audits. At the time, the details of these planned audits were murky at best. That’s all starting to change, thanks to a series of presentations being given by OCR officials at various conferences around the country. Here’s what we know:
- Beginning in the fall of 2014, approximately 350 covered entities will be audited (232 providers, 109 health plans and nine clearinghouses). The audits of those initially selected are slated to conclude by June 2015.
- Covered entities will be asked to furnish a list of all of their business associates. From those lists, business associates will be audited beginning in 2015.
- The audits will be strictly desk audits (not on site) and will be conducted by OCR regional and central office investigators. Auditors will not have opportunity to contact the covered entity for clarification or additional information.
- The audits will be broken down by type: 100 entities will be audited on Notice of Privacy Practices and patient access to records under the Privacy Rule; 100 entities will be audited on the content and timeliness of notifications under the Breach Notification Rule; and 150 entities will be audited on the risk analysis and risk management standards of the Security Rule. Business associates will be audited only on the risk analysis and risk management components of the Security Rule.
- Topics for the second round of audits in the second half of 2015 include device and media controls under the Security Rule and safeguards and training under the Privacy Rule. Projected topics for 2016 include encryption and decryption, facility access controls, other areas of high risk as identified by 2014 audits, breach reports and complaints.
- An updated audit protocol will be published on the OCR website for use by auditors to determine compliance. A sampling methodology will be used (e.g., give us a sample of 10 breach letters sent to patients).
With a narrow focus in this round of audits, OCR will be looking for greater detail and evidence of compliance than during the pilot audit phase. It will be very important that your documentation standing alone tells a good story of your compliance efforts. You will not have an opportunity for dialogue with OCR. Do your documents show approval, signature and date? Do you have evidence of actual deployment of your policies and can you show evidence that your staff is following the policies? For example, OCR could request evidence that you have provided a patient with copies of his or her medical record on a timely basis after a request. Would your documentation show when the copies were requested so that you can document that you complied with the request within the timeframe required by HIPAA? Do you have any record that you fulfilled the request? We believe OCR will be looking beyond the mere policy for actual evidence of compliance with the policy. Covered entities should be thinking now of ways to document compliance in the areas identified. Once published, the updated audit protocol will be an important resource for providers attempting to self-audit on these topics.