The Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) will shortly commence a round of Phase 2 audits for compliance with the HIPAA Privacy and Security Rules. HHS Senior Advisor for Compliance and Enforcement Illiana Peters, at a recent conference, described the new round of audits as an “enforcement tool,” as opposed to the previous round of audits under Phase I, which were completed a year ago and did not result in many compliance reviews. A protocol for these new audits will be published shortly.
A number of these proceedings, Ms. Peters told the audience, will be “desktop audits,” in which auditors will request data and reports from electronic medical records and databases. Financial penalties, Ms. Peters noted, may result from random, or “spot” audits, as well as those initiated by data breaches.
The audit will be signaled by the organization’s receipt of a pre-audit survey, but not all organizations that receive the survey will be audited. The decision to audit will be made following a review of the response to the survey.
Healthcare providers and health insurance plans, then, should have a process in place to obtain the information required by the survey in a timely manner. Failure to submit all required information within the deadline presented by OCR will surely lead to a full audit. Many electronic medical record (EMR) platforms provide capability to compile information likely to be requested in a survey or audit, but the pertinent settings must be configured to provide this information. An EMR assessment, guided by advice on the provisions of HIPAA likely to be the benchmarks for a survey or audit, is a cost-efficient way to prepare for OCR, and has the collateral benefit of providing a path for timely and complete compliance with other audits and investigations, such as may be requested by the Office of Inspector General (Medicare and Medicaid fraud and abuse), the Joint Commission (formerly the Joint Commission on Accreditation of Healthcare Organizations, or “JCAHO”) or state Departments of Health.
If you have any questions regarding readiness for OCR surveys and audits, please contact Kenneth N. Rashbaum.