Will Your HIPAA Policies and Procedures Pass an Audit?

Beginning next year, the Department of Health and Human Services’ Office of Civil Rights (“OCR”) has announced it will conduct random audits of covered entities and their business associates to determine if they are in compliance with the privacy and security standards of the Health Insurance Portability and Accountability Act (“HIPAA”). The best way to be prepared for such an audit is to perform a self-assessment of your HIPAA policies and procedures in order to identify and resolve any potential issues before they are discovered by the auditor.

Background and OCR HIPAA Oversight

Covered entities and their business associates are required to comply with HIPAA, which mandates safeguarding and protecting individuals’ protected health information (“PHI”).  Covered entities include insured or self-insured health plans and health care providers. It is important to note that while an employer who is not a health care provider or health care clearinghouse is not a covered entity, if the employer sponsors a group health plan, the group health plan is a covered entity.  Business associates include third-party administrators, actuaries, attorneys, CPAs and other vendors. 

When errors are discovered during an investigation or audit, OCR may insist that you take corrective actions (such as retraining staff, revising policies, implementing additional safeguards).  In serious cases, OCR may assess significant civil penalties (ranging from $100 per violation to $50,000 per violation, subject to annual maximums) or bring you into court to face criminal penalties (ranging from hefty fines to imprisonment).  One factor that has been shown to lead to more significant penalties in audit cases is where the covered entity or business associate has not shown good faith efforts to comply with HIPAA. For example, in a recent settlement arrangement with the OCR, an insurance holding company was ordered to pay $3,500,000 to settle potential HIPAA violations and satisfy certain requirements that focused on HIPAA training.

OCR is responsible for overseeing compliance with HIPAA and enforcing HIPAA. Such oversight authority generally includes performing investigations in response to complaints, tips and/or media reports, and proactively conducting audits.  Beginning in 2016, OCR has committed to doing the following:

  1. Fully implementing a permanent audit program. 
  2. Maintaining complete documentation of corrective action.
  3. Developing an efficient method in its case-tracking system to search for and track a covered entity’s history of being investigated. 
  4. Developing a policy requiring OCR staff to check whether a covered entity has been previously investigated.
  5. Continuing to expand outreach and education efforts to covered entities.

Will You Be Audited?

Although complaints, tips and media reports increase the chances of being audited, simply being a covered entity or a business associate means that you are at risk of being randomly audited by OCR. Also, just because you have been audited in the past, does not mean you will not be audited again in the future.

How Will OCR Perform Its Audit?

OCR has discretion to decide how to perform its audit (e.g., interviews, document review, on-site review, etc.). The audits that are set to occur in 2016 will focus on common areas of HIPAA noncompliance and will seek to test the effectiveness of desk reviews as compared to on-site reviews of HIPAA policies and procedures.

What Types of Questions Should You Be Prepared to Answer in the Event of an Audit?

  1. Do you have HIPAA-compliant policies and procedures in place?
  2. When was your Notice of Privacy Practices last updated?
  3. Do you engage business associates or are you engaged by a covered entity? If so, are HIPAA-compliant business associate agreements in place?
  4. Which employees are given HIPAA training? What does HIPAA training consist of? When did you last provide HIPAA training to your employees? How often is HIPAA training provided?
  5. Do you have proper HIPAA privacy and security systems in place to safeguard PHI against unauthorized use and disclosure of PHI?
  6. How do you dispose of PHI?
  7. How are unauthorized uses or disclosures of PHI reported?
  8. Has a HIPAA breach ever occurred? If so, how was it handled? Were changes implemented to prevent future HIPAA breaches?
  9. When did you last perform a comprehensive risk analysis and how often is an analysis conducted?

What Should You Do Now?

You should take the following steps as soon as possible:

  1. Documentation. Prepare a file or list of all of your HIPAA-related policies and procedures to ensure they are easily accessible in the event you are audited.
  2. Self-Assessment.
    1. Perform a self-assessment of your HIPAA policies and procedures to determine whether they comply with HIPAA, accurately reflect your operations, and are being properly followed. The assessment can be performed by your company or by legal counsel. If the assessment is performed by legal counsel, it may be possible to protect confidential communications between legal counsel and the company under the attorney-client privilege and thereby avoid having to disclose in the event of an audit. 
    2. Confirm that you have current business associate agreements in place with all vendors (or, if you are a business associate, with all covered entities and subcontractors).
  3. Action Plan. In the event noncompliance issues are discovered during your self-assessment, develop an action plan to correct or otherwise eliminate those issues.
  4. Audit Contact. Ensure that all staff who may reasonably be expected to come into contact with PHI are aware of your HIPAA policies and procedures, and the proper HIPAA officer to whom any OCR audit communications should be sent.