Understanding the differences between on- and off-site audits and what may be required is key to preparing for inquiries or audit letters. Off-site or desk audits refer to documentation requests by phone or electronic means and are usually limited in scope and pertain to one or two provisions under HIPAA. OCR representatives may also ask all covered entities for a list of their business associates to verify if there are signed agreements on file.
On-site audits are frequently more intensive and include visits by federal investigators to provider practices. It is mainly to look at a larger range of HIPAA requirements and verify that all compliance and permission policies are well documented and all requests were replied to in a timely manner. Bear in mind that all documentation must be current as of the request date and cannot be created after the inquiry. During on-site audits, providers should be prepared to answer questions and allow any other queries or questions directed to their staff. For example, HIPAA investigators may ask employees about their HIPAA privacy officer, whether they can bring work laptops home or email patients, and if so, what privacy safeguards are in place.
While covered entities adopt new technologies to improve the quality and efficiency of patient care, practices are being held accountable for ensuring the safety and security of patient information. It should be noted that healthcare security is built around compliance, and even though an organization is HIPAA and HITECH compliant, it should not be taken for granted that there are security measures in place. Keep in mind that the main objective of the Security Rule is to protect the privacy of individuals’ health information. The goal of the OCR’s Phase 2 audit program intends to identify best practices and assess controls and processes that are implemented by all covered entities. It is imperative for practices to add a task to their to-do list to pull out their current HIPAA policy and procedure guidelines, spend some time verifying that security measures are in place to respond to and report any security breach of patient information.
Hopefully, organizations are staying abreast of the regulatory updates from OCR on the HIPAA audit process. Key steps include:
- Ensure emails are being monitored, because OCR messages may be routed to your spam or junk email folder. OCR has stated that it will be sending audit-related emails from [email protected]. All spam and junk email folders should be checked periodically for any correspondence from the agency. Failure to respond to an OCR email will not protect an entity from an audit; the agency plans to use publicly available information about entities that do not respond and include them in the audit pool.
- Prepare a list of your business associates and have it readily accessible. Covered entities are encouraged to prepare a list in advance for responding to this request during this pre-audit phase in the event the practice is contacted.
- Assign a security officer, or create an audit response team. As noted above, practices will have only 10 business days to respond to an OCR request for documentation, as well as only 10 business days to review the auditor’s draft findings. Preparation is the key, such as assigning a security officer or an audit team in advance to monitor your electronic systems as well as storage of printed documents, because this will help alleviate the strain on the practice.
- Review the Phase 1 audit protocol. The Phase 1 audit protocol is available on the OCR website. Even if your organization is not selected for an audit, working through the protocol is a great way to evaluate your compliance and avoid any fines.
- Keep up to date with the OCR audit information. The OCR has published its objectives for Phase 2, and they are available for review.
HIPAA and the HITECH Act are intricate laws, and compliance is mandatory to prevent significant fines from being imposed. Practices should monitor their current systems and train staff as necessary on how to respond to breaches.
