HIPAA audits target business associates
Financial organizations that are business associates can expect a wave of HIPAA desk audits to evaluate the HIPAA compliance efforts of business associates. These audits have a limited focus and are conducted by the U.S. Department of Health and Human Services’ Office for Civil Rights. For business associates, desk audits will target breach notification and the security rule’s risk analysis and risk management requirements. OCR intends for the desk audits to begin anytime now and to conclude by the end of the year.
Next year, OCR plans to conduct full audits of all the HIPAA requirements of a selected group a both business associates and covered entities. These full audits will involve auditors coming on-site for several days.
Where have we been: Background on HIPAA audits
OCR previously conducted onsite audits of covered entities, such as health care providers, health plans, and health care clearinghouses. This round of audits involves desk audits and onsite audits of both covered entities and business associates. So far in this round, OCR is in the process of performing desk audits of covered entities. The desk audits began on March 21, 2016, with OCR sending email to some covered entities and business associates verifying primary contact information. OCR sent follow-up email with pre-screening questionnaires (to collect demographic information about the potential auditees) beginning April 4.
After that, OCR sent emails initiating desk audits of 167 covered entities on July 11. OCR requested names and contact information of the auditees’ business associates. Covered entities either were audited on privacy/breach practices, specifically notice of privacy practices, the individual right of access, and breach notification. They also audited security practices concerning information security risk analysis and risk management.
The 2016 audited entities have submitted their documentation supporting their HIPAA compliance efforts and are awaiting the results. OCR now is turning its attention to business associates.
Where are we going: Preparing for audits
Here are some considerations for financial organizations that are business associates. First, don’t let audit requests get lost within the organization. According to OCR representatives, audit requests will be sent to business associates based on contact information provided by covered entities during the earlier desk audits. OCR will not be verifying contact information directly with the business associates. Since contact information likely will be coming from customers, it is possible that OCR communications will go to the sales or business contacts rather than the organization’s internal HIPAA officials. Financial organizations should take steps so that the correct person within the organization gets the audit requests in a timely manner.
Second, keep OCR out of the spam filters. OCR sends its audit communications by email, and previous auditees have reported that these emails have wound up in their spam filters. Of course, it also is important to verify that emails purporting to be from OCR are not phishing attacks.
Third, be ready. To prepare, business associates should review the OCR desk audit protocol and related guidance issued to covered entities that already have been audited. We also anticipate that OCR will issue desk audit protocols for business associates before sending document requests. Financial organizations also may want to leverage others tools (such as the DWT HIPAA Audit Toolkit for Financial Organizations) to prepare for both desk and onsite audits and to improve their compliance posture.
Fourth, prepare to demonstrate compliance. The audits require an entity to demonstrate its HIPAA compliance — it is not enough to simply have policies and procedures. For example, the covered entity desk protocol requested copies of current and recent risk analyses and risk management plans and evidence that appropriate workforce had access to and had reviewed the risk analyses and risk management plans.
Fifth, recognize the need for speed. Business associates likely will have only 10 business days to respond. Financial institutions should verify that their risk analysis, risk management, and breach notification policies, procedures, and supporting documentation are in place and readily available.
Finally, know your subcontractors. OCR may want to augment its business associate list for future compliance and enforcement actions. Therefore, financial institutions should verify their ability to generate a list of subcontractor business associates, including associated contact information.