What to Do If You are Notified of a HIPAA Desk Audit
For the last several years, everyone who works in health care has been hearing about privacy, security, breach notification rules and the possibility of additional audits. According to the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR) has begun Phase 2 of the Health Insurance Portability and Accountability Act (HIPAA) Audit Program. The audit program is designed to help the federal agency examine the methods by which covered entities and their business associates comply, what the best practices are, and where risks and vulnerabilities exist.
In Phase 2, OCR will conduct two types of audits: desk audits and onsite audits. Desk audits are currently underway and will continue through the end of December 2016. A desk audit is a request by HHS for set of documents. The documents may vary, depending on the subject HHS is examining, and auditees have 10 business days to supply the requested documents from the time they are notified of the audit. An onsite audit, on the other hand, is a more traditional audit, where a team visits the physical location of a covered entity or business associate. Phase 2 onsite audits begin in 2017.
Jorge Rey, CISA, director at Kaufman Rossin CPA Advisors, headquartered in Miami, FL, says when a covered entity or business associate is notified of a desk audit, “[OCR is] going to be looking for a list of documents. When you receive the letter, you don’t want to be in a position where you are trying to figure out what these documents are. In theory, you should have already been complying for a couple of years.”
Rey advises being honest if you do not have the documents OCR is requesting. It is not a good idea to try to use the 10-day time period to make it appear as if you have been compliant by fabricating documents. “You just need to provide the documents they are asking for,” he says. “It’s a laundry list of items. It can go up to 50 items. Be timely in your response to the request.” He adds that admitting you don’t have the documents may allow you to provide a reason to OCR such as an unforeseen computer glitch or issue with a vendor.
If you have been working to comply, chances are good that a desk audit will not be too challenging. The OCR has stated that the audits are designed to help them develop better guidance for industry self-evaluation. This phase of the audit program is focused on helping covered entities and business associates become or remain compliant, rather than punishing those which are not.
Rey says the first person who should be notified that a desk audit is to take place is the person in the organization responsible for HIPAA compliance: your practice privacy officer. The privacy officer may be the practice manager or office manager and is the person who will help get the documents together for the audit.
The best course of action is to behave as if you will be audited at all times. Unfortunately, practices are sometimes unwilling.
“We’ve had clients who are practitioners, and sometimes it’s a difficult conversation to have,” Rey says. He says that sometimes physicians simply don’t understand the security and privacy regulations and assume that having the types of safeguards that are sufficient for use in other situations, such as a firewall, are adequate. That is not the case. The privacy, security, and breach notification regulations of HIPAA require far more protection for patient information.
Regular risk assessments, reviews of policies and procedures, and staff training are all ways to both protect your business and ensure the privacy of your patients’ information. “You should start doing something before you get that letter,” Rey says. “You’ve been reading those articles for the last three years. It’s time to do something.”
Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.