Phase 2 audits from the OCR should be taken seriously, and that includes a significant review of HIPAA policies and procedures. Don’t assume the compliance program you’ve had for years is good enough for an audit, warns Stephanie W. Schreiber, JD, shareholder in the healthcare section within the law firm of Buchanan Ingersoll & Rooney in Pittsburgh.
“Back in 2003, when HIPAA first came into play, everyone was involved with writing policies and procedures. Then, many entities put those policies on the back shelf,” Schreiber says. “As new rules came out, they took them out and looked at them again. The 2013 Omnibus Rule prompted some to update those policies, but simply looking at your policies and updating them is in itself insufficient for an audit.”
Schreiber advises consulting HIPAA rules and assessing whether your existing policies and procedures address all the requirements. Entities can narrow that assessment somewhat because unlike a general compliance audit, OCR in Phase 2 focuses primarily on aspects of the privacy, security, and breach notification rules.
The privacy rule could be the least challenging for covered entities. Some of the most common problems an audit might uncover involve up to date privacy notices, mechanisms for providing notice, and prominently displaying the privacy notice online.
“I suspect the security rule will be more of a struggle for some covered entities, and I think OCR is going to look there with more intensity,” Schreiber says. “This is all about assessing how your organization holds and transmits PHI, how it is protected, and whether you have done risk assessments and updated those assessments in light of all the cyber threats recently.”
The Phase 2 audit process begins with OCR sending an email to covered entities and business associates requesting that contact information be provided to OCR in a timely manner. Once it receives that information, OCR then transmits a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees. That data will be used with other information to select entities for audits. If an entity completes the pre-audit questionnaire, OCR will use publicly available information, which may still be selected for an audit.
The same applies when OCR sends notice that a facility has been selected for an audit. Pretending the notice never arrived won’t help.
“Failing to respond to the audit notification does not mean you won’t be audited. Rather, it is likely that even more attention will be paid to you,” Schreiber warns. “Depending on what they find in a Phase 2 audit, it could lead to a general compliance audit, which would be much broader.”
- Stephanie W. Schreiber, JD, Shareholder, Healthcare Section, Buchanan Ingersoll & Rooney, Pittsburgh. Telephone: (412) 392-2148. Email: email@example.com.