Starting in November, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is slated to begin HIPAA compliance desk audits for business associates. This is just the beginning of OCR’s ongoing push for a permanent HIPAA audit program, which will kick into higher gear come 2017.
OCR first began its Phase 2 HIPAA Compliance Audits in March of 2015. An initial group of 167 Covered Entities, such as doctors and insurance companies, were randomly selected for a HIPAA audit. A questionnaire was posed to auditees asking them to compile lists of their business associates along with relevant contact information.
OCR has collected some 20,000 BAs through this process, and now plans to select organizations from this list and move forward with onsite audits, according to OCR’s Deputy Director of Health Information Privacy, Deven McGraw.
In June of this year, OCR reached its first settlement with a BA in the history of enforcement, resulting in a $650,000 fine. OCR has redoubled its efforts toward BA enforcement, and this recent announcement marks the first time that OCR has instigated wide-scale random audits for business associates and HIPAA compliance–a practice that will become standard once HHS launches its permanent audit program.
McGraw went on to state that business associates chosen for desk audits after November 2016 could also be subject to additional onsite audits if widespread HIPAA compliance issues are uncovered. “It’s not a game of ‘gotcha’ or a vehicle for punitive measures. But we can open an investigation if what we see in an audit” raises alarms, she said.
McGraw also outlined plans for a “comprehensive roll-up report” once these desk audits are completed. This report will be a publicly accessible document that will outline the major findings of OCR’s Phase 2 Audits. OCR intends for the report to act a resource for HIPAA-beholden organizations to address their compliance plans in the future.
The 20,000 contacts that OCR has gathered across the health care industry represent a wide range of different business associates. Organizations that weren’t contacted over the course of OCR’s initial outreach for Phase 2 are at risk of being audited just because of the business relationships they have with covered entities.
“In order to best prepare for these audits, business associates should be able to illustrate their HIPAA compliance through supporting documentation,” says Marc Haskelson, President and CEO of Compliancy Group. “If a BA has yet to address their HIPAA compliance, now is a better time to start than ever before.”