Expect more comprehensive audits instead of desk reviews.
The HHS Office for Civil Rights has announced that it is yet again delaying Phase 2 of the HIPAA audits — with no definitive date set for the audits to actually begin. When the audits do start, however, they’ll be much more intense than previously planned. Here’s what you need to know to prepare.
Why the delay? “Phase 2 of the HIPAA audits was initially slated to begin in the fall of 2014 and was subsequently moved to late 2014 or early 2015,” noted Charlotte, N.C.-based attorney Chara O’Neale in a blog post for law firm Parker Poe. “Currently, no timeline has been provided as to when the next round of audits will officially begin.”
Earlier this year, OCR also said that it would conduct pre-audit surveys of 800 covered entities (CEs) and 400 business associates (BAs) to determine suitability for the audit program last summer, according to law firm Alston & Bird. OCR indicated that it would use the surveys to select 350 CEs and 50 BAs to audit in Phase 2. But now OCR has delayed the pre-audit surveys, as well as Phase 2 of the HIPAA audit program.
Why? “According to OCR, the audit portals and project management tools that are needed to facilitate the audit process are not yet ready for prime time,” explained partner Mark Burnette in a blog post for Tennessee-based LBMC Security & Risk Services. “Clearly, without a fully functioning infrastructure, the audits would be a nightmare for the OCR and every organization subject to one,” Burnette said.
Providers will use OCR’s new web portal to submit information to the agency, according to Alston & Bird. “OCR is planning to use its new portal to conduct the pre-audit survey screening tool as well as to have entities enter data for the audits.”
The portal technology will collect, collate and analyze audit data, Alston & Bird explained. OCR says the new web portal will help it streamline the audit process, save time and allow it to conduct more audits.
Problem: “If the OCR keeps announcing that the audits are coming — and then continues to push them back — many healthcare organizations will continue to fall below compliance and not be particularly motivated to do anything about it,” Burnette lamented. “When resources are tight, non-revenue generating initiatives (like government-mandated data security controls) are too easily set aside, especially if no one is watching.”
Get Ready For More On-Site Audits, Fewer Desk Audits
If you think that Phase 2 audits won’t be as intense as the last round of audits, think again, Irvine, Calif.-based Medical Information Technology Group warned in a statement.
In addition to the delay and the new portal, OCR also announced that it has changed its strategy for the Phase 2 audits. Instead of conducting mostly desk audits as previously announced, OCR now says that it will conduct more comprehensive audits than desk audits.
“Instead of conducting 400 desk audits, OCR — with the new web portal and some additional funding — is planning to do a larger number of on-site, comprehensive audits, including business associate audits,” Alston & Bird said. “And to conduct fewer than 200 targeted desk audits.”
OCR is planning to send the pre-audit surveys to CEs first, and then to BAs, “in the near future.” OCR also plans to update its HIPAA audit protocols before the next round of audits begin.
Lesson learned: Use this extra time wisely and look at your organization’s state of digital security and compliance with the HIPAA Omnibus Rule changes, if you haven’t already, Medical ITG recommended. Also, keep an eye out for updates and new announcements about the audit program on the OCR website at www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html.