This year, the Office for Civil Rights (OCR) has an increase in their budget to support their audit program as mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
According to the OCR, the audit program will offer an invaluable tool to help ensure Health Information and Accountability Act (HIPAA) compliance by covered entities and business associates.
Here is a review of OCR's HIPAA audit program and some recommendations to help your organization be prepared in the event you are selected for an audit.
2016 Audit Program to include "desk audits" and "on-site reviews"
Phase 2 of OCR's audit program includes comprehensive "desk audits" as well as "on-site reviews" of policies and procedures. Phase 2 will include audits of both covered entities and business associates. This will be the first time OCR will directly look at business associates policies and procedures. According to OCR, the audit program is a proactive approach to evaluating and ensuring HIPAA privacy and security compliance.
OCR will be sending pre-audit surveys to covered entities and business associates. While the OCR intends on selecting approximately 350 covered entities and 50 business associates, this number is subject to change.
OCR HIPAA Audit Protocol
OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol focuses on privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity or business associate selected for review.
Moreover, OCR will focus on Phase 1 Audit violations, such as Security Risk Analysis (SRA) and risk management, breach notification, notice of privacy practices (NPP), and individual access to protected health information (PHI).
Our Recommendations
As long as you are prepared, you should not worry. We recommend the following 10 steps to ensure you are prepared in the event of an OCR HIPAA Audit:
- Policies and procedures must be implemented, documented and should be specific to your organization as necessary.
- Employees must receive training on policies and procedures at the time of hire, on an annual basis, and whenever there are updates.
- Perform a HIPAA Virtual Walkthrough. What safeguards do you have in place to ensure PHI is secured? Are you using and disclosing minimum necessary PHI?
- Review or conduct a SRA and have a corrective action plan in place to address any identified deficiencies.
- Have an inventory of any and all devices that access ePHI.
- Any mobile devices that access ePHI must be properly secured preferably encrypted.
- Ensure your NPP is current, available upon request, and prominently posted within your facility. Does your NPP include instructions for filing a complaint?
- Review your processes and any documentation that supports individual rights to access PHI e.g. if a patient has made a request do you have supporting documentation that reflects timely response?
- Breaches of unsecured PHI that affect fewer than 500 individuals, must be submitted to the Secretary within 60 days of the end of the calendar year in which the breach was discovered. This means breaches should be reported no later than February 29, 2016 especially with increased focus on audits of covered entities and business associates in 2016.
- Know definition of a business associate and who your business associates are. Do you have a list of your business associates? Are business associate agreements in place?
Ifyou have any questions, please feel free to reach us by phone toll-free at 855-427-0427 or send us an email at[email protected].