Pathology/Lab Coding Alert

Don’t expect more onsite visits.

Three years after the kickoff of Phase 2 desktop audits, the HHS Office for Civil Rights (OCR) plan for escalating onsite audits has vanished.

Read on to see what this change might mean for your lab’s HIPAA compliance plans.

Check the Audit Trail

Although the HHS audit resource is still available online at www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html, “Phase 2 of the Audit Program seems to have fizzled out,” says Philadelphia-based attorney Edward I. Leeds, of national law firm Ballard Spahr LLP, in an online analysis.

With no official announcement, “The HIPAA Audit Program has, essentially, been terminated,” says Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC, in Charlotte, Vt.

“Phase 2 was terminated without coming to a conclusion, and ‘Phase 3,’ yet to come, was identified in the fall of 2018 as a report generating recommendations based on Phases 1 and 2,” he continues.

Look: OCR did update 13 questions on its Audit Protocol website last summer, with no major changes to HIPAA. The information was “based on the experience gained in questioning during the 2016 round of audits,” Sheldon-Dean notes. “Despite promises from HHS staff, a change history has not been provided, and the update itself was never announced.”

Focus Impact on Your Practice

OCR states that “Audits are primarily a compliance improvement activity.”

That’s why the audit termination is “too bad,” according to Sheldon-Dean, “because the audits, when implemented properly, can be a valuable tool for discovering where there are weaknesses in compliance, either by the fault of covered entities, or through inappropriate regulatory requirements.”

Case in point: OCRs stated intention was to “use the audit reports to determine what types of technical assistance should be developed … and develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.”

More to come – maybe: Audits may come back down the line, but to what end?

“Although audits may be revived at some time in the future, it is more likely that OCR will dedicate its limited HIPAA resources to investigations,” according to Leed.

Sheldon-Dean agrees. “I don’t think the audit rules will be used for enforcement purposes, as it would require developing a program, while simply responding to complaints and breaches provides plenty of fruit for making examples of rule violators.”

Do this: Whether the HIPAA Audit Program makes a comeback (or not), there’s never been a better time to up your compliance capital with updated policies. Take advantage of this reprieve to assess your risks and act on them with concrete management tactics. And remember, document everything — because if OCR does roll out the audit patrol, the first thing they’ll ask for is written proof of your compliance plan.