HIPAA Covered Entity Audits Hit High Gear
The HIPAA compliance audits announced in March
have shifted into overdrive. On July 12, 2016, OCR announced that 167 covered entities (health plans, health care providers, and health care clearinghouses) were notified on July 11 that they have been selected for a desk audit. OCR will audit these covered entities for compliance with the following Privacy Rule, Security Rule, and Breach Notification Rule requirements:
OCR states it selected these requirements because the 2011/2012 pilot audits of 115 covered entities, as well as OCR’s enforcement, highlighted them as areas of noncompliance. The “risk analysis” requirement
has been a particular enforcement focus.
Covered entities selected for audit received two communications from OCR: (1) a notification letter providing instructions for responding to the desk audit document request, the timeline for response, and a “unique link” for each organization to submit documents through OCR’s on-line portal; and (2) a request to provide a listing of the covered entity’s business associates, as well as information about an upcoming webinar in which OCR will explain the desk audit process and take auditees’ questions. Although OCR sent these emails to the address previously identified during the pre-audit phase, they may have been incorrectly classified as junk or spam – so covered entities are advised to check junk and spam folders
for anyone who might be considered a primary contact at the covered entity for communications from OSOCRAudit@hhs.gov
Auditees have 10 business days (July 22, 2016) to respond to the desk audit document request. Desk audits of business associates will begin this fall.
An important note to covered entities: Even if you were not selected for a desk audit, you may still be chosen for a field audit in 2017. It is unknown at this time whether OCR will select field auditees from the covered entities and business associates identified for the desk audit pool, or from a different group of CEs and BAs.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.