Federal health data cops are setting up a compliance lottery you might prefer to skip.
Earlier this month, the health data cops — officials at the Office for Civil Rights, an arm of the U.S. Department of Health and Human Services — started a major wave of audits of hospitals, group health plans, insurers and other entities directly covered by the Health Insurance Portability and Accountability Act privacy and data security rules.
Officials from the Office for Civil Rights are asking for big batches of information from the HIPAA-covered entities. One item on the auditors’ document-demand list is contact information for the covered entities’ business associates.
For an insurer, the list of business associates could include insurance agents and brokers.
For a group health plan, the list could include agents, brokers and benefit plan administrators and consultants.
Federal officials want to use the business associate lists to choose targets for a wave of business-associate HIPAA audits.
Federal officials conducted a smaller, relatively casual round of audits of covered entities in 2012, to look for ways to help covered entities and business associates understand and comply with HIPAA rules.
An official who’s supposed to keep tabs on HHS, the HHS inspector general, blasted officials the Office for Civil Rights for going too easy on the covered entities. Observers are expecting the current “Phase 2″ round of audits to be tougher.
During a recent Phase 2 audit webinar, officials from the Office for Civil Rights said audits could lead to legal action.
“OCR could decide to open a separate compliance review in a circumstance where significant threats to the privacy and security of [protected health information] are revealed through the audit,” officials say in a webinar slidedeck.
Here’s a look at some of the new details officials from the Office for Civil Rights revealed at the webinar, based on the slidedeck and a collection of written answers to webinar participants’ questions:
A desk audit is actually a telephone conversation with an auditor. (Photo: Allison Bell/LHP)
1. A desk audit has nothing to do with the condition of your desk.
When Office for Civil Rights officials conduct a desk audit, they ask the targeted entity to answer questions and send it many documents.
The officials conducting the Phase 2 audits sent requests for documents to 167 covered entities July 11.
The auditors will look to see how each audited entity is complying with either the HIPAA security standards, or the HIPAA privacy and data breach requirements, but not both, according to the slidedeck.
If officials conduct a desk audit of a group health plan’s compliance with the privacy rules, for example, the auditors will look to see whether the entity has a privacy practices notice that includes all of the required elements. Auditors will also to see whether the entity posts the notice on its website in the right way.
In many cases, auditors will ask entities for screen shots of their computer screens. Officials took up several webinar slides showing the webinar attendees what the screen shots should look like.