Let the HIPAA audits begin!

HIPAAAccording to the U.S. Department of Health and Human Services (HHS), Phase-2 audit protocols continued on July 11 as the Office for Civil Rights sent out more than 100 audit notifications to selected covered entities.

Similar to jury-duty summons for civilians, most health care entities dread the audit letter and hope that they can slip by unnoticed. But, as promised, the OCR will be monitoring HIPAA compliance closely and cracking down on HIPAA violations.

In a report from The National Law Review, the OCR sent audit letters to 167 health plans, health care providers and health care clearinghouses Organizations have been instructed to check their spam folders, as the notification may have ended up there. In the letter, the OCR informed the selected organizations that they must respond to the desk audit within 10 business days.

For their responses, the selected organizations must submit all requested documentation to the OCR using an online portal. The scope of these audits will revolve around the Privacy, Security, and Breach Notification Rules. Each rule contains specific requirements for health care organizations. The audits require organizations to provide documentation showing how they are meeting the requirements.

As part of the Privacy Rule requirements, organizations must show how they handle the notice of privacy practices and patient rights to access PHI. For the Security Rule, the selected covered entity must have documentation on their risk analysis and risk management program. And, for the Breach Notification Rule requirements, they will need to show that they have breach notification procedures in place and that they are followed in a timely manner. These are all requirements of HIPAA that all covered entities and business associates should be following now, audit or not.

Essentially, all of this required information should be contained in the covered entity’s policies and procedures and their risk assessment. If you are unsure of whether your company has these procedures and documentation, be sure to check with your HIPAA Privacy and/or Security Officer to find out more. If your company does not have these designated officers, then you can pretty much expect that your organization would currently fail a HIPAA audit, which can lead to severe fines.

It’s also important to note that while the recent audits focus on covered entities, business associates are not off the hook. The OCR stated in their audit-program documents that the business-associate audits will begin in the fall. So, for business associates, there is still time to prepare for these desk audits.

Both covered entities and business associates should take this Phase-2 launch as a reminder of the importance of being prepared for a potential audit. Although your organization may not have been selected this year, you could easily end up in the mix for the next audits. Ten days is a very short amount of time to create all the necessary HIPAA documents.

Save yourself the stress and use HIPAAgps to help you prepare for HIPAA audits. Start your free trial today!