As promised, Phase 2 of OCR's audit program is underway. If you receive a request from OCR to verify contact information, a request to complete a screening questionnaire, or are actually selected for the audit, a timely response is critical.
Confirmation and Questionnaire
Currently, OCR is working on confirmation contact information:
- If you are requested to verify your contact information you will have 14 days to either confirm your identity and email address or instead provide updated primary and secondary contact information.
From there, entities will be asked to complete a screening questionnaire that is intended to gather data about the size, types, and operations of potential auditees for the HIPAA Privacy, Security, and Breach Notification Audit Program:
- Receiving this notice does not mean your organization has been selected for an audit; rather, your organization is part of a pool from which OCR will select the entities that will be audited this year.
- If you receive a request, you will have 30 days to complete the online screening questionnaire.
What if our organization is selected for an audit?
In a recent interview published May 18, 2016, Deven McGraw, deputy director of health information privacy for the U.S. Department of Health & Human Services' Office for Civil Rights (OCR) said if you are selected for an audit you have 10 business days to submit documentation.
We verified her statement by taking a look at an actual questionnaire request an entity requests that clearly states you will have 10 business days to respond:
Please be aware that if your entity is selected for an audit, you will have ten (10) business days to respond with the requested documentation. Among other items, selected entities must submit a list of all current business associates, with up-to-date contact information, within the 10 day response period. OCR will use this information to compile a list of potential business associate subjects to audit.
OCR will either:
- conduct a focused desk audit to review documentation of evidence of your compliance with selected provisions of the Rules; or
- conduct a comprehensive on-site review of your compliance with applicable requirements of the HIPAA Rules, or
- follow up a desk audit with an onsite audit.
These audits will be conducted later this summer following the process of verifying entity contact information and establishing a pool of covered entities. It's important to note that initially audits will be conducted on covered entities first, followed by business associates. According to Deven McGraw, "the current database of business associates is not robust enough."
The audit protocol is organized by Rule and regulatory provision and addresses separately the elements of privacy, security, and breach notification. The audits performed assess entity compliance with selected requirements and may vary based on the type of covered entity or business associate selected for review. While audits may vary, according to McGraw there are two areas that OCR will focus on:
- Enterprise-wide risk assessments
- Policies and procedures for providing patients with access to their medical records
How we can help
We agree with Deven McGraw it is beneficial to begin preparing for an audit even if you are not selected. We recently published the following 10 steps to ensure you are prepared in the event of an OCR HIPAA Audit:
- Policies and procedures must be implemented, documented, and should be specific to your organization as necessary.
- Employees must receive training on policies and procedures at the time of hire, on an annual basis, and whenever there are updates.
- Perform a HIPAA Virtual Walkthrough. What safeguards do you have in place to ensure PHI is secured? Are you using and disclosing minimum necessary PHI?
- Review or conduct an SRA and have a corrective action plan in place to address any identified deficiencies.
- Have an inventory of any and all devices that access ePHI.
- Any mobile devices that access ePHI must be properly secured preferably encrypted.
- Ensure your NPP is current, available upon request, and prominently posted within your facility. Does your NPP include instructions for filing a complaint?
- Review your processes and any documentation that supports individual rights to access PHI e.g. if a patient has made a request do you have supporting documentation that reflects timely response?
- Breaches of unsecured that affect fewer than 500 individuals, must be submitted to the Secretary within 60 days of the end of the calendar year in which the breach was discovered. This means breaches should be reported no later than February 29, 2016, especially with the increased focus on audits of covered entities and business associates in 2016.
- Know the definition of a business associate and who your business associates are. Do you have a list of your business associates? Are business associate agreements in place?
Becoming familiar with the information we've shared in this article will prepare you for your next steps should you receive a request from OCR to verify contact information, a request to complete a screening questionnaire, or are actually selected for the audit.
If you have any questions, please feel free to reach us by phone toll-free at 855-427-0427 or send us an email at firstname.lastname@example.org.