The Facts About HIPAA Audits

There’s been a lot of buzz about the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) gearing up for another round of HIPAA audits. The audits are not intended to be witch-hunts, despite how they are often portrayed. But they are also not anything to dismiss. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed to impose privacy and security requirements and improve portability of health coverage. Most people are familiar with HIPAA because of special enrollment rights, or the security rules surrounding Protected Health Information (PHI), which is protected by HIPAA.

The OCR completed Phase 1 of their audit program back in 2011-2012. That round of audits focused solely on covered entities. Covered entities are health care clearinghouses, health care providers and health plans like those employers offer. Self-insured employers can be covered entities if they offer a self-funded plan.

Phase 2 began earlier this year. Phase 2 encompasses not only covered entities but also their business associates.The OCR has begun contacting covered entities and their business associates to verify contact information and place these entities in a pool of potential auditees. However, not everyone who has been contacted by the OCR will be selected for an audit.  The OCR estimated it will select approximately 350 covered entities out of a pool of 550-800.  Fortunately, the OCR has outlined its process for contacting and selecting business associates for an audit

The Audit Process

The first step employers can take to prepare is to check their inboxes and spam filters regularly. The OCR will communicate via email and unresponsive parties will still be entered into the audit pool.  The next step is to wait for a letter confirming your selection for auditing.  The OCR will send out an initial request letter to inform covered entities and business associates that they have been chosen for an audit and will request various documents and data.  Responsible individuals will have 10 days within receipt to respond to the email and provide any documents or data requested.

The OCR will give auditees the chance to explain any potential discrepancies. The auditor will provide draft findings nearing the conclusion of their audit. Auditees have 10 business days to review and return written comments as necessary. The final report is due within 30 business days after auditee’s response.

Again, the OCR intends for these audits to help them understand the difficulties entities face in complying with HIPAA. They also want to help these entities improve their HIPAA compliance. Yet if they do find serious HIPAA concerns or breaches, they may launch an in-depth compliance review. Serious breaches may trigger monetary, civil and/or criminal penalties of varying degrees. Even though there’s no guarantee that your group will be selected, employers should consider some basic preparation.

Preparing for an Audit

There is a vast array of documents the OCR could request from an auditee. Companies should make sure they have easy access to all important documents should they be selected for an audit and prepare any documents they do not currently have in place. Some of the documents the OCR may request include:

  • Most recent Risk Analysis
  • Entity-wide Security Plan
  • Risk Management Plan
  • Network penetration testing policy and procedure
  • Encryption measures implemented on systems that store, transmit, or access e-PHI (electronic PHI)
  • List of members responsible for HIPAA compliance
  • Proof of HIPAA training
  • Disaster recovery plan tests and results.

This is not an exhaustive list, but a good starting point for any company. Being prepared will ease the audit process and hopefully provide an extra dose of confidence to companies working with the OCR.

Linkedin Facebook Twitter Email

About Andie Schieler

Andie is an attorney and works in J.W.Terrill's Compliance division specializing in interpreting the Affordable Care Act and various insurance laws. She advises clients on legal and regulatory issues affecting their employee benefit plans. She obtained her law degree from Saint Louis University and undergraduate from Indiana University Bloomington.

View all posts by Andie Schieler

No comments yet.

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.