How to prepare for a HIPAA audit
The Department of Health and Human Services’ Office of Civil Rights has announced it will be launching phase two of the Health Insurance Portability and Accountability Act audit program. Advisers can help clients prepare by updating policies and procedures, among other steps.
HIPAA provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs, reduces healthcare fraud and abuse, mandates industry-wide standards for healthcare information on electronic billing and other processes; and requires the protection and confidential handling of protected health information.
HIPAA established national standards for the privacy and security of protected health information and the Health Information Technology for Economic and Clinical Health Act (HITECH). This established breach notification requirements to provide greater transparency for individuals whose information may be at risk.
HITECH requires OCR to conduct periodic audits of covered entity and business associate compliance with the HIPAA privacy, security and breach notification rules. OCR began its initial audit in 2011 and 2012 to assess the controls and processes implemented by 115 covered entities to comply with HIPAA.
Phase two of the audit will focus on any covered entity and business associate. OCR will identify pools of covered entities and business associates representing a wide range of healthcare providers, health plans and healthcare clearing houses.
Roy Bossen, partner at Hinshaw & Culbertson LLP, says the law firm he works for is considered a business associate because the firm deals with cases under medical malpractice.
“When we defend a hospital or a doctor, we have access to Protected Health Information (PHI),” Bossen says. “There is requirement in HIPAA for what a business associate must do to protect [PHI] as well.”
Bossen says there is not a specific penalty for not passing the audit; however an entity or business associate could face possible fines for failure of the audit.
“It is not uncommon in any field to have a great policy manual that’s in a nice binder on a shelf or an email document that gets sent out, but nobody practices the organization of what their policies and procedures stipulate."
“The next phase of the audit will be called a compliance review,” he says. “[Entities and business associates] will require a more in-depth review of what their policies and procedures are, and that could theoretically lead to fines and penalties.”
Bossen stresses that it is important for employers to determine whether they are a covered entity or business associate or if the audit even applies to an employer’s business. An employer that operates their own plan would be considered a covered entity.
Advisers and brokers can assist their clients by making sure employer’s policies and procedures are up to date while also making sure the employer’s practices match-up with the up to date policies and procedures.
“It is not uncommon in any field to have a great policy manual that’s in a nice binder on a shelf or an email document that gets sent out, but nobody practices the organization of what their policies and procedures stipulate,” Bossen says.
The HIPAA phase two audit program will begin the next couple months and should a covered entity or business associate be contacted for a desk audit or onsite audit.
Both audits can take up to 10 days to be reviewed and the auditor will have entity’s final report within 30 business days.