The U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) has officially started a long-awaited round of health information privacy and data security audits.
When HHS OCR conducted its first round of Health Insurance Portability and Accountability Act (HIPAA) audits, it looked at hospitals, doctors’ offices, health plans and other organizations classified as “covered entities.”
When the agency conducts the new Phase 2 round of audits, it will review privacy and data security practices at the offices of insurance agents, brokers, benefit plan administrators and other entities classified as the “business associates” of the covered entities, officials say.
See also: Phase 2 HIPAA audits
“Every covered entity and business associate is eligible for an audit,” HHS OCR says in an Audit Phase 2 launch announcement.
The HHS OCR audit team is already identifying pools of potential auditees. Once the team puts together a list of potential auditees and their contact information, it will send them a screening questionnaire.
HHS OCR will ask each covered entity in the audit pool for a list of its HIPAA business associates. The HIPAA associates of a health plan typically include insurance agents, brokers and benefit plan administrators.
“We encourage covered entities to prepare a list of each business associate with contact information so that they are able to respond to this request,” HHS OCR officials say.
Once HHS OCR gets replies to the screening questionnaire, it will pick the covered entities that will go through actual audits from the list of entities in the covered audit pool. HHS OCR notes that it may pick an entity for an audit even if that entity fails to fill out a questionnaire.
HHS OCR will start by conducting a desk audit, or telephone-based audit, of a covered entity. The agency will then conduct a desk audit of some of the entity’s business associates, and it also will send out auditors to conduct on-site audits.