With HIPAA Phase 2, there is a short turnaround time when it comes to audit requests and that puts pressure on small businesses to be ready at any moment.
The HITECH Act (Health Information Technology for Economic and Clinical Health) means that the HHS (U.S. Department of Health & Human Services) is required to perform audits on a periodic basis of business associates and entities to ensure that they are meeting the Breach Notification, Security and Privacy Rules set forth in the Health Insurance Portability and Accountability Act.
In the following paragraphs, you will find information regarding both Phase 1 audits and Phase 2 audits as well as the background information that will be needed in order to prepare for one of these audits.
Phase 1 audits were rolled out in 2011, while Phase 2 audits began earlier this year. The audits in Phase 2 are focused on any areas of noncompliance that were identified in the Phase 1 audits. This can include improper notice of privacy practices, breach notifications and the analysis of security risk and management.
Targets for Audits
CE (Covered Entities) – Group health plans that are sponsored by employers, health care clearinghouses, pharmacies, doctors and health insurance companies.
BA (Business Associates) – An organization or person that actually provides services for a Covered Entity that involves access to any sort of Protected Health Information (PHI). These services can include things like benefit management and billing, data analysis, administration and/or processing claims. The service providers include but are not limited to pharmacy benefits managers, cloud data storage companies, consultants, attorneys, accountants and third-party administrators.
What is New in Phase 2?
The process is expected to begin similar to how Phase 1 began. This is where OCR will choose a large amount of Covered Entities from those that filled out surveys before the audit. However, with Phase 2, the Covered Entities that are audited will also submit a list of all of their Business Associates. OCR will then select the business associates to audit from those submissions.
Audited Entities Will Have a Short Turnaround Time
If you fall into any of the categories described above, then you need to be looking for audit and policies notices to come by email. Business Associates and Covered Entities need to be ready to respond to these notices within two weeks of receiving the data request and pending audit notification. OCR will only accept documentation that has been submitted on time, so it is critical that you already have the documentation needed readily available in case you get an audit request. If not, you will face having to undergo a full review and this could lead to further penalties. These penalties can include fines that can be as high as $50,000 for each violation with regards to failure to comply with the HIPAA laws, even for breaches that are unintentional – and this can go as high as $1.5 million per annum.
- Read all of the procedures and policies on the physical, technical and administrative safeguards that you have adopted for paper, verbal and electronic. These documents need to be final versions as opposed to drafts and they also need to be compliant with the Omnibus Final Rule from 2013. Actions of employees need to match your procedures and policies and this includes the notification procedure for breaches and the notice of privacy practice.
- Consider conducting a self-audit. You can use the current audit protocol for the HHS. There is an updated protocol expected that will reflect the Omnibus Final Rule and that has been refined for the Phase 2 audits but this protocol is not available at the time of this writing.
The audits in Phase 2 show us that the OCR is actually attempting to be more proactive in regards to enforcement than is it to reacting to any type of complaints. This is meant to be an audit program that is permanent and required by HITECH. This means that any Business Associate or Covered Entity can and will be a target. Keeping all of your compliance documentation and your records both accurate and up to date will allow for you to cooperate easily.