Immediate Action Required to Prepare for “Phase 2” HIPAA Compliance Audits of Both Covered Entities and Business Associates
In the wake of its pilot audits of Covered Entities in 2011 and 2012 uncovering widespread noncompliance, the Office for Civil Rights (“OCR“), which enforces the Health Insurance Portability and Accountability Act of 1996 (“HIPAA“), will reportedly commence its next round of HIPAA (“Phase 2“) audits in early 2016. Once an OCR audit of your business is initiated, it is too late to attempt to achieve HIPAA compliance. Therefore, organizations subject to HIPAA should ensure they are compliant now or they could face substantial liability.
Phase 2 Audits Will Include Business Associates
Both Covered Entities and Business Associates will be targets of the Phase 2 audits. As explained in a previous CSG Health Care and Hospital Law alert here, a 2013 rule change significantly expanded the definition of “Business Associate” and extended substantial obligations and liabilities directly to Business Associates that had before only applied directly to Covered Entities. Organizations that believe they are, or could be, Business Associates but have not yet implemented written policies and procedures should take immediate action to assess their HIPAA obligations.
How The Audits Are Expected to Work
Audited HIPAA entities should expect to receive a data request from OCR requiring a response within two weeks. All information supplied by the audited organization – which will likely be submitted to OCR through a new web portal – must be current as of the data request date. OCR is expected to provide a draft report on which an audited entity may comment before OCR issues a final audit report. Late submissions or failing to respond to a data request could subject an entity to further investigation and enforcement action. Accordingly, Covered Entities and Business Associates do not have the luxury of waiting to see if they receive a data request before ensuring they are HIPAA compliant.
How To Prepare for an Audit
In Phase 2, OCR will concentrate on the areas where it found high instances of noncompliance during the 2011-2012 audits. Covered Entities and Business Associates should prepare for the audits now by taking certain steps, including the following:
- Ensuring they have a current HIPAA risk assessment evaluating all vulnerabilities to protected health information (“PHI”), and have prepared and effected a risk management plan in accordance with the most recent OCR guidance.
- Ensuring that each Business Associate has in place a Business Associate agreement executed with any Covered Entity with which it exchanges PHI. Such Business Associate agreements should have been recently executed or revised to account for changes made by the HIPAA Final Rule effective March 26, 2013 (the “Final Rule”).
- Ensuring that sufficient breach notification policies and procedures are in place and that any breaches or potential breaches have been appropriately documented, mitigated, addressed and/or reported.
- Ensuring written HIPAA policies and procedures are in place and have been updated to account for changes in the Final Rule. Organizations should be prepared to provide OCR with current policies and procedures and to demonstrate complete implementation of such policies and procedures, including evidence of having completed appropriate HIPAA training.
In preparation for a possible HIPAA audit by OCR in the coming months, Covered Entities and Business Associates should immediately review and assess their obligations under HIPAA to ensure their compliance. Chiesa Shahinian & Giantomasi PC is prepared to assist clients with all their HIPAA compliance needs, such as developing or revising written HIPAA policies and procedures, responding to an OCR audit, developing or revising Business Associate agreements, conducting risk assessments and conducting workforce training. Should you have any questions regarding the OCR audits and what they mean for you and your business, please do not hesitate to contact an attorney on our Health Care and Hospital Team.