After years of anticipation, federal regulators yesterday launched a new round of audits to gauge compliance with patient privacy provisions of the Health Insurance Portability and Accountability Act. The launch is starting off innocuously with emails to so-called covered entities — health care providers, insurance plans and clearinghouses — and to business associates that handle patient information on behalf of those entities. The emails will simply ask to verify contact information, after which recipients will receive a “preaudit questionnaire” seeking details on their business size and operations.
From there, the Office for Civil Rights will create a pool of audit targets. The pool will be created “in coming months” and will “represent a wide range of health care providers, health plans, health care clearinghouses and business associates,” the OCR said Monday. According to news reports last week, about 200 audits are planned. On Monday, the OCR said that a majority of the reviews will be remote “desk audits,” although some in-person audits will take place. All the desk audits will be finished by the end of 2016, according to the OCR.
If an audit turns up a “serious compliance issue,” the OCR said, further investigation may occur, which could trigger financial penalties and a formal agreement to improve HIPAA compliance. More broadly, the agency said that it will use its findings to develop new guidance and policies aimed at strengthening adherence to HIPAA rules that safeguard the confidentiality of so-called protected health information.
One of the key questions surrounding audits is how business associates will fare, given that they have been covered by HIPAA only since 2013. It is predicted that the OCR may focus in particular on business associates that conduct large-scale data analysis, storage and management for covered entities.
The OCR promised to release its audit protocols — instructions on how audits are conducted — later this year, when the agency is closer to actually performing the audits. The protocols are being updated to reflect policies in a 2013 final rule that expanded HIPAA’s reach.
Companies selected for an audit will receive a detailed overview of the audit process and an outline of their obligations, according to the OCR. Generally, companies will have 10 business days to submit the requested information, and the OCR will then review the information and respond with its findings. Companies will then have a chance to respond to the findings before a final audit report is completed.