The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) will be conducting on-site HIPAA audits in 2017. An on-site audit is a more traditional audit, where a team visits the physical location of a covered entity or business associate. All covered entities and their business associates could be subject to either, or both, type of audit. The on-site audits will be more extended, covering all aspects of an organization’s privacy and security practices.
According to HHS Office of Civil Rights, they will only be conducting a “small number” of on-site HIPAA audits in 2017. They will look at “risk analyses and risk management, notices of privacy practices and access and response to requests for access, and content timeliness of notifications", ensuring that providers are implementing the policies and procedures.
Audits are intended to help HHS Office of Civil Rights identify risks and vulnerabilities. The idea of an on-site audit can be a bit disturbing, but it is important for providers to remember that audits are not primarily about enforcement. Their main goal is to help HHS understand where more guidance and training is needed.
According to HHS, the hospital selection process for on-site audits will be similar to the one used for desk audits. Notifications will be sent out by email, and an on-site visit will take place over three to five days. They also state that the chances of getting audited are low, but are offering advice about what they're looking for when an organization has been selected for an assessment. The covered entity will have 10 business days to complete and return a pre-audit questionnaire. Then, the audit will be scheduled by HHS.
Chances are it won’t happen to your organization, but you'd better be prepared if it does.
Your organization has been selected for an on-site audit? A notification of an audit is stressful, regardless of how compliant your organization is.
Your first step should be a meeting with staff who will interact with auditors to go over relevant policies and procedures. Having some kind of training, explaining how they should respond to questions, and what can be expected in general will take some pressure off.
Analysis and risk management are the main areas where OCR is seeing the most noncompliance, and these are two areas that hospitals and practices should focus on. Organizations that have taken serious measures to try to comply are unlikely to be penalized by HHS as a result of an on-site audit.
Remember that you do have the opportunity to view and comment on the draft audit report, being able to correct any inaccuracies.
Contact us to hear more about our Privacy and Security Risk Analysis and learn more about how our Privacy & Security Solutions Toolkit can help you meet the PHI challenge.