With HIPAA Phase 2, there is a short turnaround time when it comes to audit requests and that puts pressure on small businesses to be ready at any moment.
The HITECH Act (Health Information Technology for Economic and Clinical Health) means that the HHS (U.S. Department of Health & Human Services) is required to perform audits on a periodic basis of business associates and entities to ensure that they are meeting the Breach Notification, Security and Privacy Rules set forth in the Health Insurance Portability and Accountability Act.
In the following paragraphs, you will find information regarding both Phase 1 audits and Phase 2 audits as well as the background information that will be needed in order to prepare for one of these audits.
Phase 1 audits were rolled out in 2011, while Phase 2 audits began earlier this year. The audits in Phase 2 are focused on any areas of noncompliance that were identified in the Phase 1 audits. This can include improper notice of privacy practices, breach notifications and the analysis of security risk and management.
Targets for Audits
CE (Covered Entities) – Group health plans that are sponsored by employers, health care clearinghouses, pharmacies, doctors and health insurance companies.
BA (Business Associates) – An organization or person that actually provides services for a Covered Entity that involves access to any sort of Protected Health Information (PHI). These services can include things like benefit management and billing, data analysis, administration and/or processing claims. The service providers include but are not limited to pharmacy benefits managers, cloud data storage companies, consultants, attorneys, accountants and third-party administrators.
What is New in Phase 2?
The process is expected to begin similar to how Phase 1 began. This is where OCR will choose a large amount of Covered Entities from those that filled out surveys before the audit. However, with Phase 2, the Covered Entities that are audited will also submit a list of all of their Business Associates. OCR will then select the business associates to audit from those submissions.
Audited Entities Will Have a Short Turnaround Time
If you fall into any of the categories described above, then you need to be looking for audit and policies notices to come by email. Business Associates and Covered Entities need to be ready to respond to these notices within two weeks of receiving the data request and pending audit notification. OCR will only accept documentation that has been submitted on time, so it is critical that you already have the documentation needed readily available in case you get an audit request. If not, you will face having to undergo a full review and this could lead to further penalties. These penalties can include fines that can be as high as $50,000 for each violation with regards to failure to comply with the HIPAA laws, even for breaches that are unintentional – and this can go as high as $1.5 million per annum.
The audits in Phase 2 show us that the OCR is actually attempting to be more proactive in regards to enforcement than is it to reacting to any type of complaints. This is meant to be an audit program that is permanent and required by HITECH. This means that any Business Associate or Covered Entity can and will be a target. Keeping all of your compliance documentation and your records both accurate and up to date will allow for you to cooperate easily.