HIPAA Phase 2 Audits Include Business Associates

The short turnaround time to answer a HIPAA audit request puts pressure on you to be ready at any time.

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the U.S. Department of Health & Human Services (HHS) to perform periodic audits of covered entities and business associates to make sure they are complying with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules.

Here’s a closer look at Phase 1 and Phase 2 audits and the background information you’ll need to prepare for a possible audit.

2-10_hipaa-phase-2-audits-include-business-associates

The HHS Office for Civil Rights (OCR) started Phase 1 audits in 2011 and launched Phase 2 on March 21, 2016. Phase 2 focuses on noncompliance areas identified in Phase 1 including security risk analysis/management, breach notifications and notices of privacy practices.

Audit Targets

Covered Entities (CE): Employer-sponsored group health plans, health insurance companies, doctors, pharmacies and health care clearinghouses (they forward claims from health care providers to insurance payers, such as billing services).

Business Associates (BA): A person or organization that performs services for a CE involving access to protected health information (PHI). BA services include claims processing or administration, data analysis, billing and benefit management. Service providers can include third-party administrators, accountants, attorneys, consultants, cloud data storage companies, and pharmacy benefits managers.

[Related: Would you Survive a HIPAA Audit?]

New for Phase 2

The process starts out similar to Phase 1, where OCR chooses a broad range of CEs to audit from a pool of CEs that filled out preaudit surveys. But this time, audited CEs will submit a list of their BAs. OCR will choose BAs to audit from the pool identified by the CEs.

Short turnaround time for auditees

Be on the lookout for OCR’s audit notice and policies/procedures request, which will come by e-mail, according to Data Privacy Monitor. OCR warns the email may be incorrectly classified as spam. CEs and BAs must be ready to respond within two weeks after OCR sends a pending audit notification and data request. Data Privacy Monitor stresses, “OCR will accept only documentation submitted on time; therefore, it is important to have documentation collected and available in anticipation of a request.” OCR could start a full compliance review for failing to respond on time, which could lead to penalties. Thomson Reuters Regulatory Intelligence reports OCR is authorized to impose fines up to $50,000 per violation for failure to comply with HIPAA, even for unintentional breaches, up to $1.5 million per year.

[Related: HIPAA Privacy Online Course]

How to Prepare

  • Read your policies and procedures on the administrative, technical and physical safeguards you adopted for PHI (paper, verbal and electronic). The documents should be final versions, not drafts, and current with the 2013 Omnibus Final Rule. Employee actions should match your policies and procedures including the breach notification procedure and notice of privacy practices.
  • Conduct a self-audit. The current HHS audit protocol may be used. The protocol has been updated to reflect the Omnibus Final Rule.
  • Business associates. Compile a list of your BAs with contact information. BA agreements, ensuring privacy and security of PHI, should be in place and current with the 2013 Omnibus Final Rule.
  • Employees with access to PHI need HIPAA compliance training. Keep training records.
  • Security risk assessment. Document that any identified vulnerabilities have been evaluated and addressed, potentially preventing a data breach.
  • Electronic devices. Laptops, phones and flash drives with PHI should be encrypted.
  • Building security. Keep PHI safe.

The second phase of audits shows us that OCR is trying to be more proactive with enforcement rather than reacting to complaints. OCR is planning for a permanent audit program, as required by HITECH, so any CE or BA is a potential audit target. Keeping compliance documents and records updated and accurate will help you cooperate with ease as an auditee.

Jenny Lucey, CEBS
Jenny Lucey, CEBS
Information/Research Specialist at the International Foundation

Leave a Comment

Your email address will not be published. Required fields are marked *