freshidea - Fotolia


HIPAA covered entities to be tested by audits in 2016

The Office for Civil Rights, under HHS, is ready to begin the next wave of HIPAA compliance audits on covered entities. Find out what they should expect and how to prepare.

Healthcare organizations should be ready to prove their compliance with HIPAA security, privacy and breach notification requirements because the U.S. Department of Health and Human Services Office for Civil Rights is set to begin the second phase of HIPAA audits. HIPAA covered entities and business associates are under tremendous pressure to prepare for the impending audits. Many of them are uncertain what it will mean for the performance of their business if they are selected for auditing and are concerned about the ramifications of not satisfying the audit requirements.

Deven McGraw, the OCR's deputy director, stated that OCR will review a variety of covered entities during the audits starting this year. These organizations figure to include small medical practices, midsize and large integrated delivery networks, and business associates. Those that are selected must provide documentation and details on their current processes, controls and policies to confirm they are in line with HIPAA requirements. The evaluation can be done in a few different ways: Some covered entities may be required to meet face-to-face with the third-party auditors selected by OCR, while others will be requested to provide all required documentation electronically and receive remote interactions.

The audit process for HIPAA covered entities

What to expect

The Department of Health and Human Services (HHS) has published the protocol to be used during HIPAA audits on its website. The quantity of listed requirements may seem overwhelming, especially for small to midsize physician practices.

How to prepare

Everyone at a covered entity or business associate that could be involved in an audit should take time to learn and understand what's required of their organization by HIPAA. A third-party compliance consultant can help interpret some of the more complex HIPAA regulations and reduce stress on internal employees. By first understanding what the rules are, an organization can then ensure they have assembled the proper documentation to prove their HIPAA-compliant status and, more importantly, taken steps to secure protected health information.

How these audits will differ from the pilot

There were a small set of audits that were performed as part of the first round of pilot audits a few years ago. The results of those pilot audits focused on reviewing and refining the audit process and how HIPAA covered entities had trained for and responded to audits. For the upcoming set of audits, the auditors will request to review an organization's available documentation related to HIPAA protocols. Once those documents are reviewed, then the covered entity may be requested to provide further documentation and be asked to host an onsite visit.

Who should be most worried

There are some critical processes and procedures that must be documented and reviewed to prove how an organization is protecting patient data, from both administrative and technical perspectives. Large healthcare entities generally have dedicated security and compliance resources available to them.

Smaller medical groups are challenged by their lack of resources in comparison to their larger counterparts. Many smaller groups are aided by third-party technology vendors that may not have sufficient understanding of HIPAA protocols to establish that appropriate documentation is kept and staff members receive ample training.

What to do next

Healthcare groups, business associates and covered entities should ensure that their ongoing HIPAA compliance efforts stay updated and in line with HHS and OCR requirements. The effort should be a continuous one, because even when their systems and industry regulations change, organizations must protect all of their patients' data. For those that have not recently evaluated their HIPAA compliance, it is highly recommended that they do so soon and make it a recurring task.

HIPAA covered entities should always be aware of their compliance status, not just when auditors are knocking at their door. HIPAA audits are here to stay, and this year is likely to be a preview of future rounds of audits to happen in the next few years. While some are confident about facing their auditors, others will be forced to address gaps in their compliance and be hit with financial penalties, on top of the money they'll have to pay for remedying the issues discovered during the review process. In the meantime, all covered entities should pay close attention to what some of the groups audited before them have to say about their experience.

Next Steps

The OCR's protocol a good place to start in HIPAA preparations

Some movement on audits at 2015 HIPAA Security Conference

Healthcare providers shouldn't neglect business associates

Dig Deeper on HIPAA (Health Insurance Portability and Accountability Act)