OCR HIPAA Audits, Phase II Reminders

Although Phase II Audits by HHS, Office for Civil Rights (OCR) were anticipated to begin during the summer of 2014, it looks as though they have now commenced. Phase I Audits were part of a pilot program, which included only covered entities and was conducted between 2011 and 2012. The purpose of the audits is to glean compliance with the HIPAA Privacy, Security and Breach Notification Rules, as expressed in the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

According to OCR's website, the "HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate.

• The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for [protected health information] (PHI), (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.

• The protocol covers Security Rule requirements for administrative, physical, and technical safeguards.

• The protocol covers requirements for the Breach Notification Rule."

There are a couple of notable differences between the Phase I and Phase II Audits. Phase I reviewed all of the HIPAA standards, while Phase II will focus on the key noncompliance areas identified in Phase I, as well as those areas associated with the security of PHI. Another purpose is to discern best practices. On the flip side, an entity, whether a covered entity or business associate, may be subject to civil monetary penalties in the event that a significant compliance concern is revealed.

In the event that a physician's office or one of its business associates are contacted, it has two weeks to respond to the audit request. The requests can be very specific; however, if the entity is compliant, then everything should be organized and easily accessible. Preparing for an OCR audit should be approached like a Joint Commission accreditation. In order to be reasonably assured that no major violations exist, physicians should do the following action items:

1. Have a third-party HIPAA risk assessment done by a qualified individual.

2. Make sure that all policies and procedures are up to date and are comprehensive.

3. Look closely at electronic files to find out which ones have been encrypted and which are not.

4. Create a complete file of all business associates and subcontractors, including their contact information.

5. Make sure that the Breach Notification Policy contains relevant state laws.

6. Make sure that a compliant Notice of Privacy Practices is in place and not just a website privacy notice.

HIPAA and the HITECH Act are very nuanced laws and the fines for not complying can be significant. Take the Phase II Audits as a signal that OCR is becoming more serious about compliance and enforcement of HIPAA rules and policies.