Phase II Of The HIPAA Audit Process Is Underway

According to the US Department of Health & Human Services (HHS), the second round of HIPAA audits has commenced, meaning that the contact information for all HIPAA-related business associates and covered entities is currently being gathered to begin process of determining which organizations and businesses will be audited. These audits will be performed by the HHS Office for Civil Rights (OCR).

Next, we’ll break down the process determining how an organization or business is chosen for an audit. When chosen for an audit, the business or organization will receive an email from OSOCRAudit@hhs.gov communicating the next steps in the process.

What Organizations Should Be Prepared For An Audit?

According to the document released by the HHS Office of Civil Rights, “Every covered entity and business associate is eligible for an audit. These include covered individual and organizational providers of health services; health plans of all sizes and functions; health care clearinghouses; and a range of business associates of these entities.”

This means that your business needs to be prepared for an audit confirmation at any time. A few of the factors that will be used when determining the auditee, include size of the business or organization, the type of business or organization, affiliations of that business or organization, and if the business or organization is public or private.

How Will The Process Work?

Once the contact information of all healthcare-related business associates and organizations has been compiled, a questionnaire will be sent to all organizations to help determine the qualifying factors. Also, healthcare organizations will be asked to prepare a list all of their business associates, as well.

Once the questionnaires have been completed and received by the OCR, a “random sampling” will be taken to determine what businesses will in fact be audited. For businesses and organizations that fail to respond or comply with the OCR’s audit questionnaires or communication efforts, that organization may then be chosen as an audit candidate and may also be subjected to a HIPAA compliance review.

If chosen for an audit, a business or organization will be required to comply with the request of either a desk audit or an on-site audit. Desk audits will require the proper documentation requested be sent digitally to the OCR, while on-site audits are a more comprehensive and intensive procedure, usually including 3-5 days of on-site inspection, dependent upon the size of the business or organization. Regardless of being notified for a desk audit or an on-site audit, all entities will have 10 business days to review the auditor’s assessment and include comments of their own. The auditor will then issue the final audit report within 30 business days of receiving the entity’s comments and review.

What Are The Penalties?

HIPAA violation penalties are dependent upon a variety of factors, including the severity of the violation, the size of the organization, the reason or cause for the violation, the organization’s HIPAA violation history, and the number of people connected to the organization that would be affected by the violation. These penalties can range anywhere from $100 to $50,000 per violation. The maximum fines that a single organization can face within a single calendar year is $1.5 million, unless the violation cause happens to be labeled as “willful neglect”, meaning that the organization deliberately chose not to correct an issue with their HIPAA requirements, which has no maximum or limit for a calendar year.

Penalties for failing a HIPAA audit vary and would most likely prompt a full-blown HIPAA compliance review, which could then, as aforementioned, result in millions of dollars in fines.

What Can You Do Beforehand?

To prepare for a potential audit, you should gather all information and documentation that directly pertains to maintaining HIPAA compliance. You’ll want to make the process as smooth and simple as possible.

Conducting an internal risk analysis overview of the entire business would also be beneficial, so that any internal findings may be corrected, in terms of HIPAA compliance, before the OCR determines if an audit is warranted. Using a secure email solution that is HIPAA-compliant satisfies the email portion required when ensuring that all electronic Protected Health Information (ePHI) actually remains protected.

Auditors will not be inspecting state-specific policies and regulations, but only the HIPAA governance of the HHS that comes in the form of Privacy, Security, and Breach Notification Rules.