The U.S. Department of Health & Human Services (HHS) announced its preparation to move into its next phase of audits of healthcare covered entities and their business associates. According to HHS, “[t]he 2016 Phase 2 HIPAA Audit Program will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.” Physicians, medical practices, other providers and healthcare businesses, and their business associates, should take steps to ensure they are current and compliant with respect to HIPAA requirements.
Federal Investigation/ Medical Audit Lawyers
HHS is charged by federal law with the responsibility to enhance and protect the health and well-being of all Americans. To that end, HHS, through its Office of Civil Rights (OCR), endeavors to ensure high quality health and human services and promote advances in medicine and public health. Federal law known as the Health Information Technology for Economic and Clinical Health Act (HITECH) requires HHS to conduct periodic audits of healthcare providers and their business associates to ascertain compliance (or lack thereof) with the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. The HIPAA Privacy, Security and Breach Notification Rules, though very important to our government’s efforts to protect protected health information (PHI), are additional burdens for those in the business of providing healthcare and their business partners who might have access to PHI.
A few years ago, OCR used a “pilot” audit program to assess a sampling of covered entities’ progress in implementing HIPAA’s requirements for protecting PHI. Now, utilizing the information obtained by its pilot audit program, OCR will begin auditing both healthcare providers and their business associates. Beginning this year, OCR will review and analyze policies and procedures adopted by covered entities and business associates against the requirements of the HIPAA Privacy, Security and Breach Notification Rules.
Watch for OCR’s Email Notification and Pre-audit Questionnaire
Using public information, OCR will create its “audit subject pool.” OCR will send emails to healthcare providers and business partners to verify an entity’s address and contact information. Entities that fail to respond to the email may be at greater risk for selection for a compliance review. As these communications are electronic, OCR has indicated that “it expects entities to check their junk or spam email folder for email from OCR.”
Entities that confirm their information in response to the email, may receive from OCR a “pre-audit questionnaire.” The questionnaire is intended to obtain and marshal information about the size, type, and operations of potential auditees, for use in creating a potential audit subject pool.
According to OCR, the upcoming audits will “enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits.” OCR also expects the information obtained will assist it in developing its permanent audit program.
What should you do if you receive a letter from HHS/OCR?
If you receive a letter, email or other notification from HHS/OCR, it is advisable to provide a copy to your healthcare consultant or lawyer to ensure you take proper steps to respond and otherwise protect your interests. A sample HHS/OCR letter is provided in this link. HHS also provides information about the timeline for an audit.
Georgia Business and Healthcare Attorneys
*Disclaimer: Thoughts shared here do not constitute legal advice.
Source: HHS website (Health Information Privacy Page)