• Up to 250 covered entities and business associates to be evaluated on HIPAA privacy and security
• “Desk” audits of business associates to begin after Thanksgiving
• President-elect Trump's HHS reshuffle not expected to affect audits
Nov. 22 — The second phase of random audits under the HIPAA audit program will likely begin targeting business associates right after the Thanksgiving holiday, and the program won't be affected by the change in White House administration, a top HHS health privacy official said.
“We will start the business associate desk audits any day now,” Deven McGraw said at a research ethics conference Nov. 15.
Since auditees have 10 business days to send in necessary documentation, she said, the Department of Health and Human Services didn't want that audit notification to fall around the Thanksgiving holiday on Nov. 24. “It's already bad enough that we're doing this to you—far worse over a holiday. But we also need to get it done before the other holidays that come in December.”
The phase II audits are the latest round in a compliance auditing program to evaluate how well hundreds of hospitals and other entities covered under the under the Health Insurance Portability and Accountability Act of 1996 and their business associates comply with the HIPAA privacy, security and breach notification rules for health information. McGraw is the deputy director of health information privacy at the HHS Office for Civil Rights, which administers the HIPAA rules. These audits will serve as a learning experience for OCR to develop a permanent audit program, she said.
McGraw said she does not anticipate President-elect Donald Trump's upcoming leadership reshuffle at the HHS to affect the program. In the past, McGraw said, “our office has taken a little bit of time to get new leadership in place,” and she anticipates OCR will be under the leadership of an acting director for some time after Jan. 20. On-site audits are expected to begin in early 2017.
“I am a career employee, and I will still be here, and we will still be moving the audit program in the way that we intended and have put out to others,” she said.
The audit program implements a requirement through the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act.
McGraw made her remarks on a panel about the phase II audits during Public Responsibility in Medicine & Research's advancing ethical research conference in Anaheim, Calif. The HIPAA privacy rule allows researchers to create, obtain, use and disclose individually identifiable health information in research. But, researchers must be aware of the different legal standards including HIPAA and any other applicable rules, such as the human subject protection regulations of the HHS and the Food and Drug Administration, as well as state laws and institutional policies and contracts.
She described the audit program as a unique tool for HIPAA administrators to take a fresh look at how companies are developing policies and procedures and provide training on HIPAA.
“It is part of our enforcement program, but nevertheless, we use it to help us see whether there might be patterns of noncompliance,” McGraw said.
“The overarching purpose of the audit is learning,” McGraw said. “We're doing this audit because it allows us to get a look at how covered entities—and this time, business associates—are complying with certain provisions of the rules in a way that's different from when we come in the door because we're investigating something like a breach.”
At the same time, the HHS reserves the right to open a compliance review if auditors flag something that “suggests to us that there are significant risks to protected health information.” Failure to respond to the audit notice also is “a sure way to get shelved into the compliance review pathway,” she said.
If there are misunderstandings about the HHS's expectations, she said her office may issue more guidance. If they discover best practices among auditees, McGraw said the HHS might be able to elevate those practices to help covered entities comply with the HIPAA rules.
‘What the Heck is a Desk Audit?’
HHS began phase II this year and involves both on-site and desk audits of 200 to 250 covered entities and business associates.
“What the heck is a desk audit?” McGraw said. “Well it means you don't have to worry about auditors coming in your door. But it does require you to provide documentation to us. You're being audited on select provisions of the HIPAA rules.”
Covered entities may have to submit documents on:
(1) their risk analysis and risk management plans for the security rule;
(2) the content and timeliness for following the breach notification rule; or
(3) the notice of the entity's privacy practices for health information and patients's right to access their data.
Business associates, which HIPAA defines as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity,” must submit the same security rule information as covered entities. They also must submit their plan for reporting any data breaches to the covered entity.
The HHS selected covered entities based on a cross section the size, type, and location of potential auditees. The department then screened the candidates based on any potential conflicts of interest and whether they were already subject to a HIPAA enforcement inspection. These covered entities then provided names of their of business associates.
The HHS is in the middle of conducting desk audits for covered entities. “If you haven't received a notice and you're a covered entity, the chances are pretty good actually you got a pass for this particular phase of the audit.”
But the on-site audits are scheduled to begin early next year, and McGraw said the HHS plans to use the same pool for business associates and covered entities to select which organizations will be an on-site audit and draw on outside auditees.
“The reason I say ‘chances are,’ is because the on-site audit phase begins in 2017,” she said.
The same pool of candidates for the desk audits will be subject to the on-site audits, but McGraw said will also consider other entities for on-site audits.
“So you might be breathing a sigh of relief around this early phase, but you still may be an audit candidate,” she said.
To contact the reporter on this story: Jeannie Baumann in Washington at email@example.com
To contact the editor responsible for this story: Randy Kubetin at RKubetin@bna.com