What to do if you are notified of a HIPAA onsite audit

The very idea of being audited, regardless of by whom, is a bit disturbing. Covered entities, such as physicians, and their business associates have been subject to audits by the Office for Civil Rights (OCR), a department within the Department of Health and Human Services (HHS), for the last several years. And there’s another new set of audits coming.

Currently, Phase 2 of the Health Insurance Portability and Accountability Act (HIPAA) Audit Program is underway. During 2016, covered entities and business associates may be asked to submit documents for a desk audit of their HIPAA compliance. Beginning next year, HHS will commence conducting onsite audits. In an onsite audit, auditors visit the practice; in a desk audit, the practice sends in documents to CMS for review.

Peter Blenkinsop, a partner at the Washington, D.C., location of law firm Drinker Biddle & Reath, says all covered entities and their business associates could be subject to either, or both, type of audit.

“You can absolutely have an onsite audit without having had a desk audit. You could also be chosen for both,” he told Medical Economics. “The onsite audits will be broader and may cover all aspects of an organization’s privacy and security practices.”

Blenkinsop says that an organization selected for an onsite audit will first receive a letter explaining how the program works and who will be conducting the audit. Next, there will be a pre-audit questionnaire and the covered entity will have 10 business days to complete and return it. Then, HHS will schedule the audit, which could last anywhere from three to 10 days.

Although the audit protocol for Phase 2 of the HIPAA Audit Program has not yet been published, the protocol from Phase 1 is available and Blenkinsop advises practices use that to help prepare for Phase 2. There were two areas where HHS found significant deficiencies during Phase 1, and Blenkinsop thinks there is a good chance Phase 2 audits will focus on those areas.

“One of the primary deficiencies they found in Phase 1 was that many covered entities had not done a thorough risk assessment of their vulnerabilities,” says Blenkinsop. “A second area where there were a lot of deficiencies was that of addressable safeguards. The security rules include a list of addressable safeguards that covered entities and business associates either must address or document why they were not addressed.” During the Phase 1 audits, many organizations failed to document why they didn’t implement some of the safeguards, he says.

Preparing for an onsite audit

A notification of an audit is nerve-wracking, regardless of how compliant your organization is. Having people come to your place of business and look at all of your records is stressful. Blenkinsop makes several points that may help soothe jangled nerves. First, he suggests having some kind of brief training for the people who will be interacting with the auditors. “Go over where the policies and procedures are stored, how they should respond to questions, and what they should expect in general,” he says.

Another important thing to keep in mind is that auditees do have the opportunity to view and comment on the draft audit report, says Blenkinsop. It is comforting to know that you will have the opportunity to correct any inaccuracies.

Additionally, Blenkinsop says, “Although there is an enforcement element to these audits, the primary purpose [of the HIPAA Audit Program] is to help HHS understand where there needs to be more guidance and training.” If there is a serious compliance issue, then HHS may conduct a compliance review, which is a more focused review with the potential of taking some kind of enforcement action. Covered entities and business associates that have taken serious steps to try to comply are unlikely to be in a situation where they are being penalized by HHS as a result of an onsite audit.

Finally, although the results of an individual audit are subject to requests from the public through the Freedom of Information Act, HHS has said that in the absence of such a request, the results of individual audits will only be published in the aggregate, or with the name of the organization audited removed.