Governance & Risk Management , HIPAA/HITECH , Risk Assessments
HIPAA Audits: Getting Ready
Attorney Highlights Essential Preparation StepsFederal regulators appear to be getting closer to conducting the next round of HIPAA compliance audits, so now is the time for covered entities and business associates to prepare for potential enforcement scrutiny, says healthcare attorney Brad Rostolsky.
The Department of Health and Human Services' Office for Civil Rights recently began sending screening surveys to covered entities and business associates to identify potential candidates for the upcoming phase two of OCR's random HIPAA compliance audits.
A copy of the OCR survey that's available on the Office of Management and Budget website says: "This screening questionnaire is intended to gather data about the size, complexity, and operations of potential auditees for the HIPAA Privacy, Security and Breach Notification Audit Program."
The survey notes: "Data will be used with other information to help us select entities that reflect a variety of types, size and locations for the Audit Program. Please note that if your organization is selected for audit, communications from OCR will be sent to the email addresses of the contact persons identified below."
A description of the survey on the OMB website says OCR is approved to send out surveys to 500 covered entities and 200 business associates.
An OCR spokeswoman declined to offer more details on the timeline for the audits. "OCR can confirm that we have started verifying contact information for covered entities," she says. "Additional information about the audit program is forthcoming. Check our website for updates."
Just because a covered entity or business associate receives a pre-audit survey from OCR, it doesn't necessarily mean they'll definitely be audited, Rostolsky says in an interview with Information Security Media Group. "However, it narrows the pool."
Time to Prepare
All healthcare organizations and business associates need to take steps now to prepare for a potential audit, a breach investigation or other inquiry from federal regulators, Rostolsky says.
"Now, before anyone receives a screening or any other OCR inquiry ... take a moment while there is no chaos going on and do a good status check on your overall compliance efforts," he urges.
"Make sure your policies and procedures are in place; you've conducted your security risk assessment ... and it's been updated. Make sure you've been conducting [security] training and have evidence of that training."
Also, in anticipation of an audit or other potential regulatory enforcement actions, Rostolsky urges organizations that have had health data breaches or HIPAA violations to carefully reassess their actions in the aftermath of the incidents. "Take a look at your files in terms of how you've handled incidents of potential privacy rule violations. Did they amount to breaches, and when you determined the breaches, did you follow the rules correctly? Understand what you have in your files so that you're prepared for what OCR is going to see."
In the interview, Rostolsky also discusses:
- The differences between potential audits of covered entities versus business associates;
- What OCR will likely examine during HIPAA compliance audits;
- How to prepare for on-site versus remote desk audits. OCR officials have previously said both types of audits might be conducted, depending upon available resources (see HIPAA Audits: A Revised Game Plan).
OCR did not immediately respond to an ISMG request for comment on the status of the HIPAA audit program plans.
Rostolsky is a partner in the life sciences health industry group at the law firm Reed Smith. With a focus on healthcare regulatory and transactional law, he leads that group's HIPAA and health privacy and security practice. He's also a member of the firm's global Ebola task force. Rostolsky has extensive experience advising clients on all aspects of health information privacy and security compliance.