HIPAA Phase 2 Audits: Actions Not Just Words

Jennifer Daniels
Blank Rome LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Action Item: With the commencement of Health Insurance Portability and Accountability Act (“HIPAA”) Phase 2 audits, and the increase in HIPAA enforcement activity, covered entities and business associates need to take HIPAA compliance seriously. The Department of Health and Human Services Office of Civil Rights (“OCR”) audit protocol provides a road map to evaluate your HIPAA compliance and will be a critical tool when preparing to respond to an OCR audit.

If your organization is a HIPAA-covered entity or business associate, management would be wise to confirm that your privacy and security officers have reviewed the OCR Phase 2 HIPAA audit protocols and are prepared in the event that OCR commences an audit of your organization. And, if you have not figured it out already, it is not sufficient to have a binder of HIPAA policies in a drawer that no one in the organization has read in the past several years.

At the end of March, OCR announced the start of Phase 2 of its HIPAA compliance audits. The audits will cover both covered entities and business associates, and will evaluate their compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. OCR’s website states that it has already begun to contact entities to determine which organizations will be included in the auditee pools. OCR has made its audit pre-screening questionnaire available here: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/questionnaire/index.html. Based on responses to this questionnaire, OCR will select parties to audit. Covered entities and business associates are advised to check e-mails and spam filters for communications from OCR regarding the audits.

OCR has published its Phase 2 audit protocol on its website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html. Covered entities and business associates should review

The audit protocols reflect the requirements of the HIPAA regulations, but, not surprisingly, there is a substantial emphasis on documentation—not only written policies and procedures, but documentation of the organization’s decision-making and implementation of those policies and procedures.

For each section of the regulations, OCR identifies a Key Activity, the Established Performance Criteria for that activity, and their Audit Inquiry. Generally, OCR will be asking for copies of the policies and procedures that determine how a key activity is processed and documented within the organization, and then will look at documentation of the activity actually having occurred and whether the activity occurred in a manner consistent with the organization’s policies and procedures. So, for example, OCR identifies “Mitigation” as a Key Activity under 45 CFR 164.530(f). The corresponding “Established Performance Criteria” is that the organization “must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information (“PHI”) in violation of its policies and procedures or the requirements of this subpart by the covered entity or its business associate.” During the audit, OCR will:

  • Ask if the organization mitigates any harmful effect that is known to it of a use or disclosure of PHI in violation of its policies and procedures.
  • Determine whether a process is in place to ensure mitigation actions are taken pursuant to the policies and procedures.
  • From a population of instances of noncompliance within the audit period, obtain and review documentation to determine whether mitigation plans were
  • Obtain and review documentation that the policies and procedures are conveyed to the workforce.

So, it is not sufficient to just have a policy that requires mitigation. OCR will look for instances of noncompliance and determine if a mitigation plan was created to address the noncompliance and that the plan was carried out. Also, OCR will look to see that the workforce is aware of the relevant policies and procedures requiring mitigation.

Again, if your organization is one that purchased a set of HIPAA policies and procedures years ago and maybe did an initial training of its workforce at that time—this will not be sufficient to respond to an OCR audit.

OCR intends to audit organizations of all shapes and sizes so that it can assess HIPAA compliance across the entire health care industry. OCR intends to initially conduct desk audits where materials will be requested and must be submitted through an online portal. Organizations will be expected to respond to requests within 10 business days.

OCR’s Deputy Director has said that covered entities can anticipate receiving audit notices in May, while business associates will likely receive audit notices in June or July.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Blank Rome LLP | Attorney Advertising

Written by:

Blank Rome LLP
Blank Rome LLP
Contact
more
less

Blank Rome LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide