Phase 2 of HIPAA Audit Program Launches

Bacho/shutterstock.com

With many competing priorities facing physician practices, HIPAA compliance and security is not a topic that usually makes it to the top of the list. But this is not the case with the Department of Health and Human Services’ Office for Civil Rights (OCR), because it has initiated a new phase of audits of physician practices, health plans, clearinghouses and business associates to assess compliance with HIPAA Privacy, Security and Breach Notification Rules. Because most practices underestimate the importance of reviewing and updating their privacy and security guidelines, it is important to pay close attention to your covered entities and business associate agreements as they relate to patient information.

In 2014 through 2015 (Phase 1), the OCR began work on building its audit protocol to glean information on covered entities’ compliance with the HIPAA Privacy, Security and Breach Notification Rules. The Phase 1 assessments of healthcare providers, health plans and clearinghouses revealed weakness in the internal databases and compliance programs of many entities, particularly that of small group practices. Although most of the security rules generally seem to be geared toward covered entities, the guideline for privacy compliance also extends to business associates that provide services for physician practices and hospitals.

Differences Between Phase 1 & Phase 2

It seemed that the OCR’s Phase 1 audits were disappointing, as they revealed many findings or observations of noncompliance related to the Security Rule compliance. As stated before, Phase 1 focused mainly on HIPAA standards; however, Phase 2 will focus on key noncompliance areas and a more comprehensive approach to those areas that were identified in Phase 1. This is in an effort to avoid the potential for data breaches and security gaps that can expose patient information and have a financial impact on the healthcare industry.

In their Phase 2 audit program in 2016, for the first time, audits will include business associates. Under the omnibus rule, a business associate is defined as any person or entity that creates, receives, maintains or transmits protected health information (PHI) on behalf of a covered entity. Currently, business associates provide services to covered entities that include billing, claims processing, consulting, management administration, accreditation and financial services. Additionally, with the increased utilization of health data analytics, most entities are outsourcing the handling, process and analysis of this information through business associates, who are receiving more access to patient documents and files.

Off-Site vs. On-Site Audits

Every covered entity and business associate is eligible for an audit. The OCR will conduct primarily desk audits of selected organizations’ policies and procedures to meet selected standards and implementation specifications of HIPAA regulations, with a projection to be completed by December 2016. The main focus will be on areas that are of greater risk to the security of protected health information (PHI). Keep in mind the OCR indicates that some on-site audits will be conducted.

Understanding the differences between on- and off-site audits and what may be required is key to preparing for inquiries or audit letters. Off-site or desk audits refer to documentation requests by phone or electronic means and are usually limited in scope and pertain to one or two provisions under HIPAA. OCR representatives may also ask all covered entities for a list of their business associates to verify if there are signed agreements on file.

On-site audits are frequently more intensive and include visits by federal investigators to provider practices. It is mainly to look at a larger range of HIPAA requirements and verify that all compliance and permission policies are well documented and all requests were replied to in a timely manner. Bear in mind that all documentation must be current as of the request date and cannot be created after the inquiry. During on-site audits, providers should be prepared to answer questions and allow any other queries or questions directed to their staff. For example, HIPAA investigators may ask employees about their HIPAA privacy officer, whether they can bring work laptops home or email patients, and if so, what privacy safeguards are in place.

While covered entities adopt new technologies to improve the quality and efficiency of patient care, practices are being held accountable for ensuring the safety and security of patient information. It should be noted that healthcare security is built around compliance, and even though an organization is HIPAA and HITECH compliant, it should not be taken for granted that there are security measures in place. Keep in mind that the main objective of the Security Rule is to protect the privacy of individuals’ health information. The goal of the OCR’s Phase 2 audit program intends to identify best practices and assess controls and processes that are implemented by all covered entities. It is imperative for practices to add a task to their to-do list to pull out their current HIPAA policy and procedure guidelines, spend some time verifying that security measures are in place to respond to and report any security breach of patient information.

Hopefully, organizations are staying abreast of the regulatory updates from OCR on the HIPAA audit process. Key steps include:

• Ensure emails are being monitored, because OCR messages may be routed to your spam or junk email folder. OCR has stated that it will be sending audit-related emails from [email protected]. All spam and junk email folders should be checked periodically for any correspondence from the agency. Failure to respond to an OCR email will not protect an entity from an audit; the agency plans to use publicly available information about entities that do not respond and include them in the audit pool.
• Prepare a list of your business associates and have it readily accessible. Covered entities are encouraged to prepare a list in advance for responding to this request during this pre-audit phase in the event the practice is contacted.
• Assign a security officer, or create an audit response team. As noted above, practices will have only 10 business days to respond to an OCR request for documentation, as well as only 10 business days to review the auditor’s draft findings. Preparation is the key, such as assigning a security officer or an audit team in advance to monitor your electronic systems as well as storage of printed documents, because this will help alleviate the strain on the practice.
• Review the Phase 1 audit protocol. The Phase 1 audit protocol is available on the OCR website. Even if your organization is not selected for an audit, working through the protocol is a great way to evaluate your compliance and avoid any fines.
• Keep up to date with the OCR audit information. The OCR has published its objectives for Phase 2, and they are available for review.

HIPAA and the HITECH Act are intricate laws, and compliance is mandatory to prevent significant fines from being imposed. Practices should monitor their current systems and train staff as necessary on how to respond to breaches.

For additional information or to schedule a presentation for your practice on HIPAA compliance and security measures, contact Antanya Chung, ACR compliance officer, at 404-633-3777 x818 or via email.