Health Information Management

Pre-audit surveys in the mail, but no start date yet for HIPAA audits

HIM-HIPAA Insider, June 8, 2015

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

by John Castellucio, Editor
The survey letters for Phase 2 of the HIPAA audits are in the mail to selected healthcare providers and their business associates (BA), but it’s still anyone’s guess when the Office for Civil Rights (OCR) will actually commence its long-awaited audits.
The HITECH Act of 2009 first called on OCR to conduct periodic HIPAA audits to ensure covered entities (CE) and BAs were following Privacy, Security, and Breach Notification Rules, amid a regulatory push for greater use of health IT and national standards for security and privacy. It was a recognition that new technologies can also pose increased risk to consumer privacy.
OCR conducted and evaluated the HIPAA pilot audits between 2011 and 2013, measuring the efforts of 115 CEs at complying with HIPAA standards. Procedures for Phase 2 of the audits—the formal process—dragged on due to various delays until a pre-audit survey was approved by the Office of Management and Budget on March 13, 2015 for distribution to 500 CEs and 200 BAs.
The survey was then mailed out in mid-May. The intent of the process is so OCR can collect information to help identify a broad range of organizations that are suitable for HIPAA audits. The survey looks at such things as size, complexity, operations, use of EHR, revenue, and how BAs handle PHI.
A smaller sample of that survey group will then be selected for the audits that were originally slated to begin in the fall of 2014.
This past March, OCR Director Jocelyn Samuels confirmed the audit procedures were still being finalized, but would begin soon, presumably sometime in 2015. Audits for BAs should begin after CE audits are underway.
Questions still remain on the actual protocol or criteria OCR will use for the phase two audit; the agency hasn’t shed any light yet on whether this protocol will be different than in the pilot audit. One difference in the process is that OCR expects to use desk-based assessments, meaning the agency will not conduct on-site audits unless resources are available.
Chris Apgar, CISSP, an editorial advisory board member for HCPro’s Briefings on HIPAA (BOH) and the president of Apgar & Associates, LLC, in Portland, Oregon, says even though there are no firm dates yet, CEs and BAs should begin preparing for a possible audit. He’s put together a survey on HIPAA compliance, which you can find on his blog.
Visit the OCR audit program website for official updates.

Subscribers to BOH can read more about what the HIPAA auditing process will likely entail in the October 2014 issue

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular