Nationwide Audits. The federal Office of Civil Rights (OCR), which is charged with enforcement of the HIPAA laws, recently announced that it is beginning to conduct audits nationwide to assess compliance with the Health Insurance Portability and Accountability Act (HIPAA) privacy, security and breach notification rules (the HIPAA Audit Program).
Random Selection for Audit. Healthcare providers and Business Associates of all sizes randomly selected will be receiving email notices stating they have been selected for an audit. The OCR will transmit a pre-audit questionnaire to gather information about the provider or business associate. Business Associates are entities that handle or have access to protected health information (PHI) on a regular basis, such as IT and other vendors to healthcare providers and attorneys.
Two Types of Audit. There will be two types of audits- ”desk” audits and “onsite audits”. Desk audits are effectively document requests. The provider will have ten days to submit documentation responsive to OCR’s request. An “onsite audit” will be a 3-5 day onsite audit.
Audit Protocol. On April 1, 2016 OCR posted a draft “updated audit protocol” on its website (http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html) Providers and business associates should review the protocol so they know what the OCR will be reviewing and what they need to do to comply. Per the audit protocol, the audits will be comprehensive and will cover the Privacy Rule, Security Rule, and Breach Notification Rule.
Audit Report. OCR will draft a report of its audit findings within 30 business days of initiation of the audit, and audited entities will have an opportunity to comment on the draft report. If the report indicates a serious compliance problem, the OCR may impose fines.
Possible Fines. The fines for HIPAA non-compliance can be serious. OCR has levied multi-million dollar fines for HIPAA violations in the past. The cooperation of the provider is of utmost importance. OCR will generally increase the fine if the provider, business associate or other covered entity does not cooperate. Fines for HIPAA violations are up to $100 per violation with an annual maximum of $25,000 for repeat violation for unknowing violations (which the provider or business associate could not have known about by the exercise of reasonable diligence), and up to $10,000 per violation, with an annual maximum of $250,000 for repeat violations for “willful neglect” violations corrected within the required time frame. There are possible criminal fines and penalties for knowingly obtaining and unlawfully disclosing PHI.
What You Should Do Now. Check that you have documented compliant policies and procedures; conduct regular security risk assessments (including risks for laptops and mobile devices and all IT portals) and document any corrective actions needed; provide HIPAA training to employees; and review the OCR audit protocol referenced above.
Robert Amador of Amador Law Corporation has advised clients on HIPAA compliance since HIPAA became law and has trained client employees on HIPAA.