The federal government has launched the second phase of its HIPAA Audit Program and will soon be identifying health providers it plans to target.
For the 2016 Phase 2 HIPAA Audit Program, auditors will review policies and procedures enacted by covered entities and their business associates to meet selected standards of the Privacy, Security, and Breach Notification Rules, according to a March 21 announcement by the Department of Health & Human Services Office for Civil Rights (OCR).
Physicians and other covered entities can expect an email at some point this year requesting that updated contact information be provided to the OCR. The office will then send health providers a pre-audit questionnaire to gather data about the practice’s size, type, and operations, according to the announcement. The government will use the data as well as other information to create audit subject pools. If an entity does not respond to the OCR’s contact request or the pre-audit questionnaire, the agency will use publicly available information about the practice.
Every covered entity and business associate is eligible for an audit, the OCR noted. For Phase 2, the government plans to identify health providers and business associates that represent a wide range of health care providers, health plans, health care clearinghouses and business associates to access HIPAA compliance across the industry. Sampling criteria for auditee selection will include size of the entity, affiliation with other health care organizations, whether an organization is public or private, geographic factors, and present enforcement activity with OCR. Entities with open complaints or that are currently undergoing investigations will not be chosen.
The first set of audits will be desk audits of covered entities followed by a second round of desk audits of business associates, OCR stated. OCR plans to complete all desk audits by December 2016. A third set of audits will be on site and will examine a broader scope of requirements under the HIPAA rules. Some desk auditees may be subject to a subsequent on-site audit, the government noted.
A list of frequently asked questions about the 2016 Phase 2 HIPAA Audit Program can be found on the OCR’s website.
Round 2 of the HIPAA audits follows a pilot program launched in 2011 and 2012 by OCR that assessed HIPAA controls and processes implemented by 115 covered entities. The second phase will draw on the results and experiences learned from the pilot program, according to OCR.
On Twitter @legal_med