HIPAA Phase 2 Compliance Audits
Recently, the federal government has increased its audit activities with respect to compliance by health plans with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules. Plan sponsors should remain aware of this initiative as the compliance audits continue.
Phase 1 Audits Have Been Completed:
The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) has completed a pilot (Phase 1) audit of 100+ "covered entities" (CEs), which included a broad range of health plans, health care providers, and health care clearinghouses. The Phase 1 audits were specifically designed to review the audited CEs' compliance with HIPAA's privacy, security, and breach notification rules as they relate to "protected health information" (PHI) of individuals. Phase 1 involved developing audit protocols, conducting audits to test the protocols, and then conducting the full range of audits.
Phase 2 Audits Have Launched- Selecting Auditees:
Currently in progress is Phase 2 of OCR's HIPAA audit program and draws on OCR's evaluation of the Phase 1. In Phase 2, every CE and every "business associate" (BA) is potentially subject to audit. A BA is a person or entity who, on behalf of the CE, creates, receives, or transmits PHI for some type of function of the CE – usually administrative). Practically speaking, for an audit of a CE that is a health plan
, it is the plan's sponsor/administrator (generally, the employer
) that must comply with the audit.
As part of this phase, OCR has obtained and verified contact information and sent pre-audit screening questionnaires to gather data from potential auditees. OCR has conducted a random sampling of potential auditee pools, and has notified CEs and BAs that they have been selected for audit. This notification was done via email so it is important to monitor spam or bulk email folders.
Phase 2 includes both desk and site audits. The first audits will be desk audits of CEs, followed by desk audits of BAs. It is expected that all desk audits will conclude by the end of December 2016.
Once desk audits are finished, site audits will begin, and will examine a broader scope of HIPAA rules and requirements. Desk auditees may also be subject to a site audit. OCR will notify CEs and BAs of their selection for site audit which usually last 3-5 days and generally are more comprehensive and cover a wider range of requirements from the HIPAA rules.
How Ice Miller Can Help:
It is quite likely that if you haven’t received a notice that you are subject to a desk audit by now, you may not, but continue to check your email. However, if you are a BA to a covered entity, you may still be notified of a desk audit. In addition, site audit notifications will not be sent for several months, so the risk of audit remains for all CEs and BAs. While an audit is a complex process, there is still time to prepare. Now is the right time to invest in your HIPAA compliance program. Violations of HIPAA's privacy and security rules can carry serious financial and reputational risks for CEs and BAs
Ice Miller's OCR preparation program "Own Your Audit" is available to help you solidify your HIPAA compliance program. Built by our Data Security and Privacy team, the program is designed to help you position your organization to respond to an audit inquiry regarding your health plan. Click this link
for more information on this program.
If you have questions or concerns about HIPAA's privacy and security rules, we can connect you with one of the attorneys on Ice Miller's Data Security and Privacy
team who can help you ensure your HIPAA compliance program is up-to-date. Please contact Sarah Funke
, Melissa Proffitt
, Chris Sears
, Tara Schulstad Sciscoe
or the Ice Miller employee benefits
attorney with whom you work. Additionally, if you are or have been selected for a Phase 2 audit, Ice Miller can help you prepare your audit response
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.