Overview
The privacy, security and breach notification provisions of the Health Insurance Portability & Accountability Act (HIPAA) set national standards to safeguard individuals’ protected health information (PHI) and require specific notifications regarding breaches of unsecured PHI. Covered entities under HIPAA include health providers, health plans and healthcare clearinghouses.
The Office of Civil Rights (OCR) enforces these provisions of HIPAA by investigating complaints, performing education and outreach, and conducting compliance reviews to determine if covered entities are in compliance. These programs enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to PHI. Criminal violations of HIPAA are referred to the Department of Justice.
HIPAA Audit Program Background
In 2011 and 2012, OCR implemented a pilot audit program to assess the controls and processes implemented by 115 covered entities to comply with HIPAA’s requirements. OCR then evaluated the effectiveness of the pilot program. Based on that experience and the results of the evaluation, OCR implemented phase two of the program, which includes audits of both covered entities and business associates. As part of this program, OCR developed enhanced protocols (sets of instructions) which have been used in phase two audits and is testing the efficacy of desk audits in evaluating the compliance efforts of HIPAA covered entities.
HIPAA Audits – Phase Two
In March 2016, OCR announced phase two of the HIPAA audit program. Approximately 165 covered entities were contacted in July 2016 and asked to provide documents related to either privacy and breach notification compliance or security controls. OCR is using the requested information to perform desk audits of the selected covered entities.
Documents requested for the privacy/breach notification audit included:
Copy of Notice of Privacy Practices in effect in 2015;
URL for entity website and URL for posting of Privacy Notice (if applicable);
Policies and procedures for electronic distribution of Privacy Notice (if applicable);
Policies and procedures for individuals to request access to PHI, including any standard form or template used to document requests;
Documentation related to first five access requests that were granted in the previous calendar year and evidence of fulfillment;
Documentation related to last five access requests in the previous calendar year for which the covered entity extended the time for response to the request;
Documentation of five breach incidents from the previous calendar year affecting fewer than 500 individuals; and
Documentation of five breach incidents affecting 500 or more individuals in the previous calendar year, including a copy of the notice sent to affected individuals and any standard form letter or template used for notification purposes.
Documents requested for the security control audit included:
Policies and procedures regarding the covered entity’s risk analysis process and risk management process;
Documentation demonstrating that policies and procedures related to risk analysis and risk management were in place six years prior to the audit notification date;
Documentation from the previous calendar year demonstrating that records related to risk analysis and risk management are available, periodically reviewed and updated as necessary;
Documentation of current and most recent prior risk analysis, including results;
Documentation demonstrating efforts used to manage risks from previous calendar year;
Documentation demonstrating security measures implemented to reduce risks as a result of current risk analysis; and
Documentation demonstrating that current and ongoing risks are reviewed and updated.
If a covered entity could not provide the requested documents, an explanation for the deficiency was required. OCR also asked for information about business associates of covered entities.
Audit Process Is Ongoing
The desk audits of covered entities are ongoing. Using the information provided by covered entities, OCR will next identify certain business associates for the second round of desk audits. This will be followed by on-site audits of selected covered entities and business associates, focusing on a comprehensive set of HIPAA compliance controls (which have not yet been identified).
OCR has stated that the audits are primarily a compliance improvement activity which will be used to better understand compliance efforts and determine what technical assistance materials should be developed. However, OCR could decide to open separate compliance reviews in cases where a significant threat to the privacy or security of PHI is identified.
Disclosure Information
Information contained herein is generic in nature and provided by sources believed to be reliable. It is for informational purposes only and is not guaranteed as to accuracy, is not intended to be the primary basis for insurance or investment decisions, and is not intended to replace the advice of a qualified professional. Neither PSA Insurance and Financial Services, its affiliates or employees render, or offer to render, personalized insurance, investment or financial planning advice through this medium. PSA employees are not licensed legal or tax professionals. Contact your qualified professional for legal or tax advice. As tax and other regulations may change, always consult your advisor before acting on any information provided. Due to various factors, including market changes, this content may no longer reflect our current opinion. PSA may only transact business in those states in which they are registered or exempted from registration. Information herein is directed only toward U.S. citizens. All rights reserved. No reproduction in whole or in part is permitted without the express written consent of PSA. PSA Insurance & Financial Services, its affiliates and employees are not responsible for the content of other web or social networking sites. PSA Equities, Inc. is a FINRA Registered Broker Dealer; PSA Financial Advisors, Inc. is an SEC Registered Investment Advisory firm; both are located at 11311 McCormick Road, Hunt Valley, MD 21031. Contact our office at 410 821-7766 to discuss your specific needs. To protect your privacy, do not send personal information via the internet.
The post HIPAA Audit Program (Benefit Minute) appeared first on PSA Insurance and Financial Services.