By Christine Kern, contributing writer
Phase Two of HIPAA Audit Program expands to include covered entities and business associates.
Phase Two of OCR’s HIPAA audit program has begun, and the expansion could have important consequences for healthcare providers. Under the expansion of the audit program, OCR has begun to obtain and verify contact information to identify covered entities and business associates of various types and determine which are appropriate to be included in potential auditee pools.
HIPAA affects more than providers — any organization or individual that creates, receives, maintains or transmits protected health information (PHI) as part of their services on behalf of the covered entity qualifies as a business associate, and thus is subject to HIPAA regulations.
HHS explained, “In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These audits will primarily be desk audits, although some on-site audits will be conducted.”
After the verification of address and contact information, OCR will send pre-audit questionnaires to gather data about the size, type, and operations of potential auditees, which will then be used to create the potential pool of audit subjects. If an email request goes unanswered, OCR will rely on public information about the entity to create its audit subject pool. The agency will post updated audit pools on its website closer to conducting the 2016 audits.
HHS notes, “OCR’s audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits. Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches. We will evaluate the results and procedures used in our phase 2 audits to develop our permanent audit program.”
According to a 2015 HHS OIG report, OCR lacked complete documentation of corrective measures in one quarter (26 percent) of closed privacy cases. Additionally, OCR determined that nearly half of these cases were noncompliant with at least one privacy standard.