The U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) has officially started a long-awaited round of health information privacy and data security audits.
When HHS OCR conducted its first round of Health Insurance Portability and Accountability Act (HIPAA) audits, it looked at hospitals, doctors’ offices, health plans and other organizations classified as “covered entities.”
When the agency conducts the new Phase 2 round of audits, it will review privacy and data security practices at the offices of insurance agents, brokers, benefit plan administrators and other entities classified as the “business associates” of the covered entities, officials say.
See also: Phase 2 HIPAA audits
“Every covered entity and business associate is eligible for an audit,” HHS OCR says in an Audit Phase 2 launch announcement.
The HHS OCR audit team is already identifying pools of potential auditees. Once the team puts together a list of potential auditees and their contact information, it will send them a screening questionnaire.
HHS OCR will ask each covered entity in the audit pool for a list of its HIPAA business associates. The HIPAA associates of a health plan typically include insurance agents, brokers and benefit plan administrators.
“We encourage covered entities to prepare a list of each business associate with contact information so that they are able to respond to this request,” HHS OCR officials say.
Once HHS OCR gets replies to the screening questionnaire, it will pick the covered entities that will go through actual audits from the list of entities in the covered audit pool. HHS OCR notes that it may pick an entity for an audit even if that entity fails to fill out a questionnaire.
HHS OCR will start by conducting a desk audit, or telephone-based audit, of a covered entity. The agency will then conduct a desk audit of some of the entity’s business associates, and it also will send out auditors to conduct on-site audits.
The agency did not say how long the entities have to respond to the pre-screening questionnaire, but those chosen for audits have 10 business days to load any information requested into the HHS OCR portal system.
“All documents are to be in digital form and submitted electronically via the secure online portal,” officials say.
Officials do not say if HHS OCR will make any exceptions for small insurance agencies and other small businesses that make little use of the Internet or electronic recordkeeping systems.
HHS OCR is assuming as a given that all of the covered entities and business associates it may screen or audit have working email addresses. The agency notes that potential auditees should be whitelisting the OSOCRAudit@hhs.gov email address, and that they should check their email system spam folders for emails from that address.
The agency says it may begin a formal compliance review if an audit turns up evidence of serious compliance problems, but that it intends to use the audit program mainly to develop strategies for improving HIPAA privacy, data security and breach notification efforts.
Are you following us on Facebook?