Earlier this year, the Office for Civil Rights (OCR), the entity responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA), issued Pre-Audit Questionnaires to covered entities and business associates alike. These Questionnaires were used to develop separate “pools” of similarly situated entities from which OCR would randomly select and evaluate using both desk and on-site audits. On Monday July 11, 2016, 167 notifications were sent to covered entities, including health plans, health care providers, and health care clearing houses, that represent those selected for the first phase of desk audits. Each entity has until July 22, 2016 to respond to these desk audit requests, which will evaluate the entity’s compliance with particular HIPAA privacy, security, and breach notification rules.
Covered entities that have been selected for the desk audit will be responsible for producing documentation establishing their compliance with privacy regulations governing (i) notice of privacy practices and the requirements thereof, (ii) the provision of such notice, and (iii) the right to access protected health information. With respect to the breach notification rule, the selected covered entities are requested to produce documentation demonstrating their compliance with the (i) timeliness of breach notification and (ii) the content contained therein. Finally, OCR has requested documentation demonstrating compliance with two components of security management processes: (i) an entity’s written risk analysis and (ii) its risk management policies and procedures.
While OCR has suggested that the audit is intended to be a “compliance improvement activity,” to develop appropriate technical assistance and helpful corrective action, it has also provided that audit results indicating serious compliance issues may be further investigated and trigger a compliance review. If your practice or pharmacy has received a request for documentation from OCR as a result of this desk audit, contact Frier Levitt for assistance in collecting and preparing your documentation for submission.
