April 11, 2016

HIPAA Audit Program – Phase 2 Begins (article)

The Administrative Simplification component of the HIPAA law, as enacted in 1996 and amended by Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, is focused on privacy and security of protected health information (PHI), as well as breach notification.  Part of the law requires the Department of Health and Human Services through its Office for Civil Rights (OCR) to conduct periodic audits to ensure compliance with these privacy and security standards by affected entities. One of the primary focuses of these audits is to assist the government in understanding issues that might exist.  The government would then be able to provide additional guidance, with goal being to allay problems before they arise. 


The OCR initiated its first phase of HIPAA audits in 2012.  It has recently announced the second phase of audits directed to a covered entity or a business associate beginning now.


As a reminder, a covered entity for purposes of the HIPAA administrative simplification rules is a health care provider, a health care clearinghouse, or a health plan.  An employer is generally not a covered entity.  If the employer sponsors a self-funded health plan, the self-funded health plan is the covered entity.  If the employer sponsors an insured plan and receives no PHI, then the insurer is the covered entity.


The HITECH law made business associates subject to a significant portion of the collective privacy and security rules.  A business associate is defined as an individual or entity that performs a function or activity, or performs specific services on behalf of a covered entity, that involves creating, receiving, maintaining or transmitting PHI regulated by HIPAA.  A business associate also includes a person that offers a personal health record to individuals on behalf of a covered entity, as well as a subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate. A business associate does not include a covered entity’s workforce.


The process for Phase 2 audits begins with a letter from OCR to a random selection of covered entities and business associates.  According to OCR’s audit procedures, an initial ccommunication will be sent via email.  The OCR cautions that if spam filtering or virus protection is enabled, the initial communication may be incorrectly classified as spam.  Covered entities should check their junk or spam email folder for emails from OCR (a valid email address from OCR would be “OSOCRAudit@hhs.gov”).  While it is not mandatory to respond to the initial inquiry, it would be prudent to do so if, for no other reason than to have an awareness that an audit might be forthcoming.  Once verification of a valid email contact has been established, OCR will then send along a pre-screening questionnaire and request submission of certain information from the covered entity or business associate through its secure portal.  Based on the information provided, OCR would then begin conducting a desk or onsite audit. Additional information about the steps involved in Phase 2 audits is available from the OCR’s website.


Information obtained from these audits will be used to provide technical assistance and assist in the development of tools for purposes of self-evaluation compliance in preventing breaches.


As an on-going general best practice, covered entities and business associates should make certain that their HIPAA privacy, security and breach notification policies and procedures are in good order.  A helpful tool to ensure compliance is available from the OCR in the form of an Audit Protocol. These updated charts provide great information on what would be reviewed in the event of an audit.  Specifically, the procedures outline a covered entity’s compliance with the privacy rules relating to:

  • Notice of privacy practices;
  • Individual rights, such as requests for privacy protection and access to an individual’s PHI;
  • Compliance with administrative rules and the use and disclosure rules;
  • Amending PHI; and
  • Accounting of disclosure.

In addition, the protocol reviews compliance with the HIPAA Security and Breach Notification rules.  Anyone responsible for compliance with these rules should use these charts as a roadmap.

The information contained in this article is provided as general guidance and may be affected by changes in law or regulation. This article is not intended to replace or substitute for accounting or other professional advice. Please consult a CBIZ professional. This information is provided as-is with no warranties of any kind. CBIZ shall not be liable for any damages whatsoever in connection with its use and assumes no obligation to inform the reader of any changes in laws or other factors that could affect the information contained herein.   

Accelerated Recovery Resources

Access articles and tools to help your business generate cash, improve leverage, and align & transform as you recover from the pandemic.

COVID-19 Resources

Access all COVID-19 related articles to help your business respond to the pandemic.

Insights in Your Inbox