Office of Civil Rights Phase 2 HIPAA Audits Underway

Monday, October 03, 2016


Under the provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH), the HHS Office for Civil Rights (OCR) is required to conduct periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The first phase of the audit program was conducted in 2011 and 2012, and based on the results of that pilot program, Phase 2 of the HIPAA audits are beginning now. 

HIPAA Audits Explained

According to DHHS, the HIPAA audit program is designed to assess the HIPAA compliance efforts of entities covered by HIPAA regulations. The audit looks at how covered entities approach and manage compliance, identify best practices in maintaining privacy and security and adhering to breach notification rules, identify potential issues not identified through ongoing reviews and complaint investigations, and essentially enable the identification of problems before they become data breaches and put patient privacy at risk. Through these audits, the OCE can identify best practices and provide improved guidance for covered entities on how to handle compliance challenges and prevent serious issues.


Under this new round of audits, any entity covered by HIPAA laws, including home health agencies, can be selected for an audit. Initial letters were sent to covered entities via email on July 11, requesting confirmation of contact information for the entity; the confirmation must be returned by July 25, 2016. Once the deadline for confirmation has passed, the OCR will send out a questionnaire to determine specific demographic information about the entity to prescreen candidates for audit. The questionnaire will gather data about the size, type, and operations of your business, as well as information about any business associates with whom you work that are covered by HIPAA rules.


The pool of auditees will then be selected based on these responses. Selection will be random, and based on the size and scope of your business. Unlike the first round of audits, though, OCR is expected to only select a few hundred entities for audit, rather than a few thousand. In addition, the audits in this round will all be desk audits that are expected to be completed by December 20, 2016.


What Is Being Audited

If your agency is selected for an audit, you will receive notification by email, and be asked to submit specific documents and other data via a secure audit portal on OCR’s website. After the initial review of the submitted documentation, the auditors will develop and share draft findings with you, and you will then have the chance to respond the findings. While the specific documents and data that will be requested is unknown at this time, the OCR does note that it will only be requesting information and documentation for HIPAA requirements related to Privacy, Security, and Breach Notification Rules, and that only those entities that are selected for an on-site audit based on the initial desk audit results will be subject to a full compliance audit.


Preparing Your Agency

Because the number of HIPAA-covered entities that will be selected for audit is relatively small compared to the overall pool of potential auditees, there is a better than average chance that your agency will not be selected. That being said, you do still need to be aware of the audit process and what you need to do.


1. Check your email. If your agency has not yet received the letter about the audits and confirmed your contact information, do so now. Check your spam or junk email folders in case the message was incorrectly classified. Failing to respond to the email will not eliminate you from selection; in fact, if OCR has incorrect contact information and you are chosen for an audit, you could face a full on-site audit as well as fines or other sanctions.


2. Prepare to be selected. Again, while the chance of being selected is low, prepare as if you will be chosen for a full on-site audit. Collect necessary data using your home health software, and review your agency’s policies, procedures, and guidelines that support HIPAA and HITECH standards. Develop a list of updated business associates to provide the OCR as well.


3. Conduct risk assessments. While you wait for audits to begin, assess your risk and analyze your security procedures and the protocols. Develop a strategy for closing gaps and improving your HIPAA compliance. Even if you aren’t audited, use this opportunity to improve your agency’s security and privacy protections.


The primary purpose of these audits is to identify best practices so that the OCR can develop more effective tools to help support covered entities in their efforts to ensure privacy. However, the audits will also identify potential areas for concern and recommend remedies when necessary. In some cases, a significant compliance concern may result in a full compliance audit and fines or sanctions.


Maintaining compliance with HIPAA and HITECH should be a primary concern for all home health care agencies.


To learn more about tools that allow you to manage your business more effectively while ensuring the highest level of security, click here to read about Complia Health's advanced software solutions.