What the Latest OCR Audit Emails Mean for Covered Entities and Business Associates
While HIPAA compliance precautions have become part of daily life for small and mid-sized healthcare organizations, many have not given a second thought to the potential of being audited by the Health and Human Services Office of Civil Rights (OCR) — until recently. In May 2016, OCR followed through with their plans to diversify their compliance audits to small and mid-sized businesses, and many received their first questionnaires last week.
While the Phase I Pilot Audits were limited to larger covered entities (CE), these Phase 2 audits are of a different scope — they will not be limited to only those larger covered entities. OCR has become aware that the vast majority of smaller healthcare organizations are not fully HIPAA compliant and that there is a serious gap in compliance among the business associate pool.According to the OCR, they will first identify covered entities and business associates in order to establish a diverse range of health care providers, health care clearinghouses, and health plans, and finally, business associates. Their goal is to consider a wider spectrum of healthcare candidates to appropriately assess compliance across the field while taking into account size, type, and operations capacity of auditees.
If you are a healthcare provider or business associate concerned about being audited or you have already received OCR audit correspondence, here is what you need to know:
Who will be audited and how will I know if my organization has been selected?
Health care organizations will receive email verification from OCR. You should check your Junk and SPAM folders, as missing your deadline will not be excused for failing to receive an email that was successfully sent — and failing to respond will only make your organization susceptible to an increased level of scrutiny.
Once you receive the email, you will be required to fill out your pre-audit survey. OCR will take the information they receive from these surveys to determine which organizations they will audit as part of Phase 2.
At this level, if your organization is audited it will likely be a desk audit process. You will be instructed to upload required documentation to a secure OCR audit portal. OCR has not yet identified the documents that they plan to require, so health care organizations that don’t want to get caught unprepared need to start organizing their documentation now. Work with your IT servicer to ensure that all patient health information (ePHI) compliance-related protocols are up-to-date and secure.
You will have only 10 business days to satisfy the documentation requirements. At that point, your investigator will review your information.
Is this audit a one-time occurrence?
No. The Phase 2 audit is a preliminary step to full implantation of OCR’s permanent audit program, so no organization will want to take it lightly as that could result in further auditing and a higher level of scrutiny in the long run.
If not audited as part of Phase 2, healthcare organizations and business associates should assume they will be audited at some point in the future.
What is the timeline of the audit?
The initial audit verification process has already begun, and OCR plans to have Phase 2 complete by December 2016.
If you received an email from OCR regarding HIPAA, don’t panic–but make sure you have your IT compliance and HIPAA documentation in order. This phase of audits is likely to be of the desk variety, and paperwork will be paramount. While this most recent auditing phase will likely focus first on covered entities, according to OCR, business associates are next on the list.
A comprehensive HIPAA IT compliance plan will help your organization prepare for any upcoming OCR audits. If your organization is selected for an audit, your reputable IT service provider can help you navigate the process. Where To Start is your trusted provider when it comes to staying at the forefront of the latest HIPAA compliance requirements and information technology innovations, security, and news. Contact us at firstname.lastname@example.org for more information.