The Department of Health and Human Services Office of Civil Rights (OCR) will begin the second round of audits in early 2016 to ascertain covered entities' compliance with HIPAA's security and privacy requirements for Protected Health Information (PHI).
As background, HIPAA refers collectively to the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act enacted as part of the American Recovery and Reinvestment Act of 2009.
HIPAA establishes standards for protecting individuals' PHI that is created, received, used or maintained by covered entities, including group health plans and business associates. This standard requires that entities design, implement and enforce appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of PHI. The OCR is responsible for enforcing this standard.
OCR has established guidelines and tools that organizations can use to conduct internal assessments of compliance with key HIPAA requirements, including security policy development, security monitoring and detection, security governance and management, workforce training, incident response planning, and busienss associate conduct and contracts.
Round one of the HIPAA audits was conducted as a pilot program in 2011 and 2012. Round two of the HIPAA audits are intended to determine if health care organizations and their contractors are complying with HIPAA privacy and security rules.
FCi Federal, a government services provider in Ashburn, VA, has been hired by the federal government to conduct the second round of HIPAA audits. The OCR has indicated that it is in the process of "verifying contact information for the business associates and covered entities that will be included in the Phase Two audits."
The second round of audits will consist primarily of desk audits, but there will be some onsite audits as well.
The OCR indicated it will release a protocol closer to the start of the audits, but it has informally indicated that these audits will target common compliance issues involving:
- Business associates and covered entities;
- Whether organizations have conducted company-wide risk assessments to identify their technical and procedural vulnerabilities;
- All aspects of security and privacy breaches; and
- Whether there are appropriate correction strategies, operational policies and employee training in place.
What should employers do to prepare?
Every employer should take steps to prepare for a second-round HIPAA audit. What should your company do to prepare?
- Conduct an internal comprehensive risk assessment to identify HIPAA issues before the OCR audits begin. OCR auditors will be looking to see if your HIPAA policies and procedures meet the latest privacy safeguards and security criteria (device encryption, media controls, data transmissions and security protocols), so a thorough reiew of existing policies and procedures is warranted.
- If you are not HIPAA savvy, consider hiring an outside professional to conduct your risk assessment as desribed above.
- Identify gaps and update documents as needed.
- Prepare and begin implementation of changes or additions to your current HIPAA policies and procedures.
- Train and/or retrain all of your employees on HIPAA policies and procedures. Be sure to document your training and education efforts.
- Create a complete list of all business associates and the services they provide to your organization. Have current (updated) business associate agreements in place, including use of subcontrators.
The last thing your company can afford to do is ignore the HIPAA requirements, particularly when facing the potential of an audit.