The U.S. Department of Health and Human Services (HHS) has announced the start of the second phase of its HIPAA audit program, which focuses on compliance with HIPAA’s Privacy, Security and Breach Notification Rules. Generally, the audit reports will be used to determine what types of technical assistance should be developed and what types of corrective action would be most helpful. However, if a HIPAA audit reveals a serious compliance issue, HHS may initiate a compliance review to investigate further.
What does this mean?
Covered entities and business associates should review their compliance with HIPAA’s Privacy, Security and Breach Notification Rules to prepare for a possible audit. Closer to conducting the audits, HHS’ Office for Civil Rights (OCR) will post an updated audit protocol on its website to be used as a guide for internal self-audits of HIPAA compliance.
When will the HIPAA audits begin?
OCR has begun to obtain and verify contact information and determine which are appropriate to be included in potential auditee pools. Communications from OCR will be sent via email.
Who will be audited?
Every covered entity and business associate is eligible for an audit. OCR will not audit entities with an open compliance investigation or that are currently undergoing a compliance review.
How does it work?
OCR will conduct a pre-screening first which includes verifying contact information and sending the covered entity or business associate a questionnaire.
The first round of audits will be desk audits of covered entities, and the second round of audits will be desk audits of business associates. All desk audits in this phase will be completed by December 2016. The third round of audits will be on-site audits.
What happens after an audit?
According to OCR, audits are primarily a compliance improvement activity that will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules. If an audit report indicates a serious compliance issue, OCR may initiate a compliance review to investigate further.
To learn more, read our full Legislative Brief.