The Department of Health and Human Services’ Office of Civil Rights (“OCR”) recently announced that it will survey 1,200 covered entities (health plans, health care providers, and health care clearinghouses) and business associates (groups that provide certain services to covered entities) to determine the fitness of the organization for a formal audit. How have audits been conducted in the past and what can your organization do now to be prepared if OCR comes knocking?
First, your organization should have a good understanding of the purpose of OCR audits and what type of information is typically collected. As you may very well know, OCR is required to conduct periodic audits to determine covered entities and business associates’ compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA Rules”). During its 2012 Audit Program, OCR audited 115 covered entities. The 2012 Audit Program found that compliance with the HIPAA Security Rule was severely lacking and that approximately two-thirds of the entities audited had not documented an accurate and complete risk assessment. For every finding and observation cited in the audit reports, OCR determined a “cause” for the finding or observation. The cause most common across all entities surveyed was that the entity was “unaware of the requirement.” If it has been awhile since your organization last reviewed its HIPAA compliance program, now would be a good time to do so, particularly in light of the Final Omnibus Rule overhaul in 2013 coupled with the promise of OCR audits in the very near future.
Second, your organization should know what information will be collected in the 2014 survey. Specifically, the survey will collect data on the following topics: 1) recent data about the number of patient visits or insured lives, 2) use of electronic information, 3) revenue, and 4) business locations. This information will help OCR to determine the size, complexity, and fitness of an organization for a formal audit and should take an organization approximately 30-60 minutes to complete. Why is this survey announcement important to your organization?
If selected for a formal audit, your organization will want to be able to provide the documentation necessary to progress smoothly through the audit and avoid a compliance review. While OCR has not announced additional parameters for the upcoming 2014 audits, the 2012 Audit Program permitted OCR to initiate a compliance review if it learned of a serious compliance issue during the audit. It is safe to say the same discretion could be given to OCR in the 2014 audits. In other words, if your organization is selected for a formal audit, and OCR learns of a serious instance of non-compliance, it could open a compliance review that is separate from the audit. Working through these compliance reviews can take time and resources away from your organization’s everyday operations, particularly if your organization has an antiquated HIPAA policies and procedures. Not to mention the possibility of civil monetary penalties.
Practical Tips: To best prepare your organization for a 2014 OCR Audit:
1) Review your HIPAA policies and procedures to ensure that they are a true and current representation of your organization’s ongoing compliance efforts, not simply a binder sitting on your shelf.
2) Conduct and document an accurate, thorough, and complete risk analysis to determine your organization’s HIPAA compliance vulnerabilities, as required by the HIPAA Security Rule. Develop a timeline for addressing these weaknesses and document any subsequent action taken.
At The Bittinger Law Firm, we regularly assist our clients by reviewing existing HIPAA policies and procedures, conducting security risk analyses, and providing practice-wide HIPAA trainings. If we can assist your organization, please do not hesitate to contact our office.
__________________________________________ 79 Fed. Reg. 10158 (Published February 24, 2014).