News Feature | November 9, 2015

HIPAA Audits Are Coming … Are You Ready?

By Megan Williams, contributing writer

HIPAA Audits Are Coming … Are You Ready?

The second phase of the HIPAA Audit Pilot Program is on its way. According to Lexology.com, the program launched four years ago this month and was originally intended to include a second round of audits for covered entities (CE) and business associates (BA) that were pre-selected for review. Phase 2 was initially scheduled to kick off in September of 2014, but has been under reevaluation and consequently delayed. The recent report from the OIG calling for stronger oversight around the Privacy Rule has many believing that there won’t be much more postponement.

The Purpose Of The Audit Program

The Audit Pilot Program was designed to facilitate measurement of CE and BA compliance with HIPAA privacy, security, and breach notification requirements. In line with that purpose, the OIG has made recommendations around strengthening its oversight of BAs and CEs and other suggestions including:

  • developing a case-tracking system
  • documenting corrective action
  • implementing a permanent audit program
  • expanding efforts around outreach and education

How Solutions Providers Are Impacted

OCR has agreed with each recommendation and is planning on moving toward a permanent audit program with Phase 2 launching in early 2016.

This is where solutions providers will be the most directly impacted. Phase 2 will include business associates along with covered entities. This puts you in the position of needing to be aware of not only the policies and procedures of you clients around HIPAA compliance, but also of your own.

Your Clients

Based on OCRs findings, the road to getting both your organization’s and your clients’ HIPAA standards up to acceptable levels will be a long one. According to the report, “OCR determined that covered entities were noncompliant with at least one privacy standard in 54 percent of closed privacy cases. A determination of noncompliance may indicate that covered entities lack appropriate safeguards to protect health information. Among the closed privacy cases in our sample in which OCR made determinations of noncompliance, the two most common types of noncompliance were related to the standard on restricting uses and disclosures of PHI and the standard on implementing safeguards. The most frequently represented covered entities among these cases were hospitals and individual providers.”