HIPAA

HHS begins second phase of HIPAA audits

The second phase of audits for compliance with the Health Insurance Portability and Accountability Act (HIPAA) regulations is underway. These audits provide an opportunity to get out ahead of problems that may exist before they result in breaches. Learn what you need to know about the process and the specific HIPAA provisions being reviewed.

The 2016 phase 2 HIPAA audit program, conducted by the Department of Health and Human Services Office for Civil Rights (OCR), is a key part of OCR’s health information privacy, security and breach notification compliance activities. The audit program allows OCR to assess covered entity compliance with the HIPAA regulations.

The AMA recently met with OCR about the audits to inform the agency of their concerns, noting that physicians are already attempting to successfully comply with the new Medicare payment system, the most significant change to that system in the last 25 years.

OCR underscored that the audit results are a tool to identify best practices and discover risks and vulnerabilities that OCR may not be aware of through their normal enforcement mechanisms and will be used for educational purposes, not enforcement.

The agency noted that if it uncovers a serious compliance issue through the audit process, it may initiate a compliance review to further investigate. The ultimate goal of the audits, however, is to help OCR provide better guidance to the health care community.

What to watch for and how to prepare

Earlier this year, OCR asked for contact information from a number of entities, though not all physicians contacted were selected to be audited. OCR selected a total of 167 health plans, health care providers and health care clearinghouses to be audited. Selected physician practices would have received an email from OCR on July 11. The email may be incorrectly classified as spam, so check your spam and junk folders to make sure you didn't miss it.

To determine auditees, OCR looked at a broad group of candidates to assess HIPAA compliance across the industry by factoring in size, affiliation with other health care organizations, the type of entity and its relationship to individuals.

If your practice is selected for an audit, you will need to submit the requested documentation and any written comments demonstrating your compliance with the following HIPAA requirements to OCR by July 22:

  • Privacy rule: Notice of Privacy Practices and Content Requirements, Privacy—Specific Requirements for Electronic Notice and Privacy—Right to Access.
  • Breach notification rule: Breach Notification—Timeliness and Breach Notification—Content.
  • Security rule: Security Risk Analysis and Security Risk Management.

Physicians can look up the specific information OCR will look for within the documentation for each of the above standards by searching for the standard on OCR’s audit protocol website.  Note that OCR is not collecting information on all of the provisions in the audit protocol; rather, it is only collecting documentation on the above provisions. 

OCR also told the AMA that it plans to offer a webinar to auditees with specific expectations about timeliness including instructions on how to upload the documents to its web portal.

The final audit report will be completed within 30 days of your response and OCR will share a copy of the final report with you.

The AMA has a number of resources available to assist physicians with HIPAA compliance, including a sample Notice of Privacy Practices, privacy and security toolkit, and a podcast on security risk assessments.

For more information on phase 2 of the OCR’s HIPAA compliance audit program, check out the audit phase 2 program objectives and frequently asked questions