How to Prepare Now That OCR HIPAA Audits Are Here

After years of waiting, the Office for Civil Rights (OCR) has finally sent out its initial round of notice letters for HIPAA audits. This first batch consists of 167 covered entities, who will have to answer a list of audit questions and provide a complete list of their Business Associates (BAs). BAs are where hosting partners come into play: a HIPAA compliant data center must sign a Business Associates Agreement with each covered healthcare provider. The OCR will be using these lists of BAs to choose around 30 BAs to audit, starting in September.

Even if your organization did not receive an audit letter, know that up to 50 more covered entities and BAs will face on-site comprehensive audits by OCR in early 2017. Now that OCR audits are upon us, how can healthcare providers and their business associates prepare?

Possible Punishments for Noncompliance

The HIPAA audits are (supposedly) non-punitive. OCR officials have stated that the end goal is to gather information about the state of the industry and compliance measures, and that as long as “good faith efforts” are being made, organizations are not likely to face enforcement action.

HIPAA fines and penalties can range in the thousands of dollars or even include jail time. If organizations are found to have “significant threats” to protected health information (PHI), they will likely invoke action from OCR.

Preparing for the Audit Process

OCR chose specific targets from a pool of over 10,000 covered entities and BAs in order to get a range of different sizes, types, health plans, and BAs. Those who received an audit notice provided contact information and all future communications are via e-mail. The first step is a pre-audit questionnaire, which can be found here.

OCR also requests organizations identify their business associates complete with contact information, from which randomly chosen auditees are notified. Covered entities can use a sample template to draft this list. 

The first round of audits consists of a questionnaire or “desk audit” to see if good faith HIPAA compliance measures are in place, focusing on security of PHI, access controls, written policies and procedures, evidence of ongoing risk assessment, and patient notices.

You can read more about HIPAA compliance here.

In the meantime, don’t just twiddle your thumbs and hope your HIPAA compliance measures will cut the mustard if you’re picked for the next round. Take some proactive steps and you’ll have to spend less time on a potential audit – besides, regular compliance checks provide valuable feedback on your ePHI security measures and handling protocol.

At a minimum, you should have the following pieces of documentation on hand:

• a list of Business Associates
• evidence of compliance protocol and measures in place
• current risk assessment (required by the HIPAA Security Rule)
• Notice of Privacy Practices as provided to patients or publically posted
• policies and procedures for access and incident responses, including a timeline of the notification process and breach management
• Evidence of access to PHI by patients

Some other useful steps to prepare include:

• locating and documenting all external and internal storage of PHI
• encrypting data at rest and/or in-transit
• employee, contractor, and third party training
• reviewing the administrative, technical, and physical policies and procedures required as part of Section 164.316 of HIPAA

Read on to see the timeline for this fall's OCR audits, including the involvement of Business Associates.