Page 28 - Delaware Medical Journal - June 2016
P. 28
HEALTH & LAW
Be Prepared: Phase 2 HIPAA Audits Set to Begin � B�ruce D. Armon; Karilynn Bayus; Brenna D. Kelly
On March 21, 2016, the U.S. Department of Health and Human Services, Office
for Civil Rights (OCR), announced the launch of the 2016 Phase 2 Health Insurance Portability and Accountability Act of 1996 (HIPAA) Audit Program (2016 HIPAA Audit Program). The 2016 HIPAA Audit Program will review the policies, procedures, and other activities
of covered entities and business associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules.
According to OCR, there will be three
��������������������������������������� ��������������������������������������� covered entities. The second phase will
be desk audits of business associates. The two desk audit phases are scheduled to be completed by December 2016. The third phase will be on-site audits. The on-site ������������������������������������� Program website, will “examine a broader ������������������������������������� Rules than desk audits.” Desk auditees may be subject to a subsequent on-site audit, though an entity may be selected for an on-site audit who was not the subject
of a desk audit. The OCR did not provide a timeline as to when the on-site audits would be completed.
Every covered entity and business associate is eligible to be reviewed as �������������������������������������� ������������������������������������� website, OCR plans to identify pools of covered entities and business associates “that represent a wide range of health care providers, health plans, health
care clearinghouses and business associates.” OCR intends to select a
random sample of entities in the audit pools for audit. OCR did not quantify the number of audits that will be conducted.
In order to create the audit pools, OCR will send an email to covered entities
and business associates requesting that they verify their contact information. Thereafter, OCR will send a follow-
up communication with a pre-audit questionnaire. According to OCR’s press ���������������������������������������� Program, an entity is still eligible for audit even if the covered entity or business associate does not verify its contact information or answer the pre-audit questionnaire. OCR will use publicly available information about entities that
do not respond to create its audit pool.
If selected for an audit, OCR will notify the covered entity or business associate in writing and explain the process and OCR’s expectations. For desk audits, covered entities and business associates will have 10 business days to submit the information requested by OCR to OCR through a secure on-line portal. On-site audits will be conducted over a period ��������������������������������������
or on-site audit is conducted, OCR will
�����������������������������������������
The auditee will then have 10 business days to submit any written comments to OCR. OCR will complete an audit report within 30 business days of receiving the auditee’s response.
According to OCR, the audits are “primarily a compliance improvement activity” that are designed to give OCR ���������������������������������������� compliance efforts and to assist OCR in ����������������������������������� program. OCR warns, however, if an audit
report indicates a “serious compliance issue,” OCR may initiate a compliance review to further investigate.
While OCR states that it will not publicly post a list of audited entities ����������������������������������� individually identify an auditee, OCR may have to release this information pursuant to a Freedom of Information Act (“FOIA”) request.
����������������������������������
Program is available at www.hhs.gov/ hipaa/for-professionals/compliance- enforcement/audit/index.html.
������������������������������������
as a reminder to covered entities and business associates about the need for maintaining a current and comprehensive ������������������������������� covered entity or business associate ������������������������������������ compliance program, now is the time. It ������������������������������������ compliance monitoring and enforcement activities will continue in the future.
CONTRIBUTING AUTHORS
■ BRUCE D. ARMON is Chair of the Health Care Practice and Managing Partner of the Saul Ewing Law Firm in Philadelphia.
■ KARILYNN BAYUS is an Associate with the Saul Ewing Law Firm in Philadelphia and represents and counsels health care entities and physicians in transactional, regulatory, and administrative matters.
■ BRENNA D. KELLY is an Associate with
the Saul Ewing Law Firm in Philadelphia and advises clients on legal matters affecting the health care and pharmaceutical industries.
188
Del Med J | June 2016 | Vol. 88 | No. 6
