The American Recovery and Reinvestment Act of 2009 (ARRA) tasked the Office of Civil Rights (OCR) (the division of the Department of Health and Human Services responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA) and regulations promulgated thereto) with conducting audits of covered entities and business associates for compliance with HIPAA. Phase One concluded in 2012, and covered entities and business associates have since been waiting for the rollout of Phase Two. The Phase Two audits will be the first time business associates may find themselves face-to-face with OCR, as Phase One audits did not include business associates. The protocol for Phase Two audits is to include changes to the regulations from the 2013 Omnibus Final Rule, which vastly expanded the types of entities falling within the definition of “business associate” and implemented regulations prescribed by the Health Information Technology for Economic and Clinical Health Act (HITECH) subjecting business associates to liability under HIPAA for compliance with the Security Rule and most of the Privacy Rule.
Phase Two audits were expected to begin in late 2014, but Jocelyn Samuels, the Director of OCR, recently announced that budgetary and staffing considerations have further delayed the rollout of Phase Two audits. Without specifying a specific date upon which the Phase Two audits would commence, Ms. Samuels did not downplay the imminence of such audits, explaining that the audits would begin “expeditiously.”
Despite the delays in implementation, covered entities and business associates are ill-advised to lie in wait, or remain idle in anticipation of action by the government. Instead, covered entities and business associates can continue to take steps to self-audit and be sure their organizations have taken the necessary steps to comply with HIPAA, including the Omnibus Final Rule, and have adequately documented such compliance. Based on the Sample Initial Notification Letter posted on the OCR website, audit targets can expect to produce written responses to auditors contracted by OCR, such as KPMG. For business associates, many of whom are vendors to healthcare providers but not necessarily in the healthcare industry, this type of document-intensive audit process may present new and unfamiliar territory.
Responses to the audits will depend heavily on documentation. Thus, copies of required policies and agreements, such as business associate agreements or subcontractor business associate agreements, should be readily available and easily collected to provide to auditors. As was seen in Phase One, there may also be on-site audit activities, thus business associates and covered entities may want to focus on employee training for HIPAA policies, procedures and compliance measures.
As a reminder for business associates (and subcontractors that are business associates), HITECH imposed the following requirements, among others, on business associates under HIPAA, and in particular the Security Rule: (i) conducting risk analyses; (ii) implementing required security policies and procedures; (iii) implementing technical security measures and facility access controls; (iv) adopting a contingency plan; and (v) conducting security awareness and training programs for all staff. Obligations under the Privacy Rule imposed on business associates include, among others: (i) limiting uses or disclosures of PHI to only those (a) provided for within the business associate agreement or (b) permitted or required under HIPAA; (ii) providing an accounting of disclosures; and (iii) entering into business associate agreements with subcontractors that satisfy the definition of “business associate” and comply with the provisions governing business associate agreements between covered entities and business associates.
As the Phase Two audits inevitably begin, business associates in particular can take advantage of the delays to conduct risk assessments and similar internal audits to confirm that their organizations are prepared when and if they should receive notification letters from OCR.