HIPAA Phase 2 Audits have begun with a focus on policies and procedures. This means current and relevant policies and procedures. Those entities that have not updated their protocols since issuance of the Omnibus Final Rule or as a result of mergers or adoption of new systems may find themselves in the crosshairs of the Office for Civil Rights (OCR), the agency that enforces HIPAA.
These audits will include business associates (including IT consultants, billing services, accountants, attorneys and software providers that access patient information for quality assurance or control) as well as covered entities (healthcare providers and health plans). The focus of the U.S. Department of Health and Human Services (DHHS) on policies and procedures is not surprising. In most HIPAA investigations, OCR’s initial document request comprises, a current HIPAA Security Risk Analysis, a copy of the organization’s policies and procedures and documentation of work force training on those protocols.
In its press release concerning the Phase 2 Audits, DHHS indicated that it will send a “pre-audit questionnaire” and, based on the results, determine which organizations would be selected for a desk audit (though, it points out, some on-site audits may be conducted). The press release notes that the questionnaire will include a number of questions “through which OCR will review the policies and procedures adopted by covered entities and their business associates” to determine if these protocols “meet selected specifications of the Privacy, Security and Breach Notification Rules.”
The best way to reduce risk of an audit is a response to the questionnaire indicating that the covered entity or business associate has updated its protocols and trained its staff on the relevant policies and procedures Clearly, then, the time to update those protocols and complete the required training is well before the questionnaire has been received. Review and update the policies and procedures now, with an interdisciplinary group comprising those who use Protected Health Information (PHI), personnel records, as well as IT, risk management and legal data on a regular basis. Protection of PHI and compliance with HIPAA are not tasks one specialty can, or should, cover alone.
The audit protocols of OCR are, as always, subject to change. If you have questions about responses to an OCR questionnaire or audit letter, please contact Kenneth N. Rashbaum.