HHS releases protocol for forthcoming HIPAA audits
The Department of Health and Human Services’ Office for Civil Rights launched Phase II of its audit program on March 21. Since that time, a significant amount of new information has emerged, including details regarding the pre-screening questionnaire (to collect demographic information about potential audit candidates), what information audited covered entities must provide about business associates, confirmation of what areas OCR will audit in its initial desk audits, timing of when the actual audits will begin, and an updated audit protocol. Because OCR intends to send out audit requests within the next two months and audited entities will only have ten business days to respond, now is the time to ensure that documents are in order, especially if you have received a pre-screening questionnaire.
Audit Pre-Screening Questionnaires – After sending out contact verification e-mails around March 21, OCR published the Audit Pre-Screening Questionnaire on April 4. OCR e-mailed the questionnaire to covered entities (and some business associates) soon afterwards.
We do not know how many organizations have received questionnaires. OCR previously stated in 2014 that 550-800 organizations would receive one. This number may have changed. But with a total of 200 desk audits, it is likely that only a minority of recipients of the questionnaire will actually be chosen for audit. OCR is using the demographic information collected in the questionnaires to identify a diverse sample of covered entities and business associates.
List of Business Associates – On April 4, OCR also identified what information it will seek from covered entities regarding business associates. If OCR selects a covered entity for audit, it will seek information about each of the covered entity’s business associates, including each business associate’s name, type of services provided, contact information for a first point of contact, contact information for a second point of contact, and a website URL. Covered entities should keep in mind that they will only have 10 business days to provide this information for each of their business associates (along with the other requested documents).
What Will Be Audited – While not on its website, OCR has confirmed that the subject of the initial desk audits remains the same as what we reported in 2014.
For covered entities audited on privacy, OCR will focus on notice of privacy practices and an individual’s right of access.
For covered entities audited on security, OCR will focus on risk analysis and risk management.
For covered entities audited on breach notification, OCR will focus on the timing and content of breach notifications (or, alternatively, breach risk assessments documenting that an impermissible use or disclosure was not a breach).
For business associates, OCR will focus on risk analysis, risk management, and timeliness and content of breach notification to covered entities.
Updated Audit Protocol – Around April 4 and 5, OCR also updated the HIPAA Audit Protocol, which is available here. We have created a redline comparing the revised audit protocol to the prior one, available here. As you will see, while OCR talked about updating the audit protocol for the Omnibus Rule, they actually completely overhauled the protocol. We believe the revised protocol is a significant improvement over the prior version, including by distinguishing between which parts are applicable to covered entities, and which parts are applicable to any entity (meaning a covered entity or a business associate).
Timing – While the audit program has been delayed in the past, OCR is now pursuing an aggressive timeline. They have indicated that they intend to begin conducting desk audits of covered entities in May, desk audits of business associates in June, and complete a smaller number of onsite audits by the end of the year.
What to do now?
If you are a covered entity and have not received an address confirmation e-mail or pre-screening survey (check your spam folder and instruct workforce who may have been identified by OCR as a contact to do the same), then congratulations! You are not in the pool for the initial Phase II desk audits (and likely not subject to a Phase II onsite audit, but that is less clear). Now is not the time to relax, though. OCR is using the audit program to highlight areas where it has seen significant non-compliance and where it is likely to focus its enforcement efforts. Accordingly, covered entities and business associates may wish to focus on reviewing compliance with those areas. Because you may not have received a screening questionnaire this week, but you may receive a complaint or suffer a breach next week. Either way, you want to ensure that your documentation is in order.
"Now is the time to ensure that documents are in order, especially if you have received a pre-screening questionnaire."
If you received a pre-screening survey, then now is the time to ensure that your documents are in order and that you are prepared to respond within 10 business days. Potential steps to prepare include:
- Cataloging your business associates in a spreadsheet that you will be able to quickly provide to OCR.
- Using the updated audit protocol to identify potential gaps in documentation, especially related to notice of privacy practices, right of access, risk analysis, risk management, and breach notification. For example, do you have six years documentation of the location of your designated record sets?
- Conduct a mock audit exercise to ensure that you can provide requested documentation within 10 business days and can respond to a draft audit report within 10 business days.
Use the updated audit protocol to conduct a mock onsite audit.
The information in this legal alert is for educational purposes only and should not be taken as specific legal advice.