HIPAA OCR Audits Q&A (Part 1)

The HIPAA OCR audits are underway. If your organization is targeted for an audit, you’ll only be given 10 days to upload the requested documents and reply to inquiries (there are over 1300 elements).

In this post, I'm answering questions taken from our recent HIPAA webinar, "OCR (HIPAA Stage 2) Audits: What to Expect and How to Prepare." 

Watch the on-demand webinar, and follow this HIPAA OCR Audits Q&A series to find out what your organization can do to meet compliance before you’re targeted.

Q1. From forums I've seen, it appears that individuals that reported a breach this year were more likely to have received the contact verification letter. Is that your observation as well?

We have been able to confirm that the initial round of contact form requests came from a database of contacts related to annual breach reporting. The list is derived only from those breach reports involving fewer than 500 records. The initial email list came from breach reports filed between January 2013 and April 2014.

Q2. Are you seeing any on-site audits yet? and Q3. Have people received the actual audit notice or just the pre-screening questionnaire to be placed in the pool for audit?

No. Audit targets, even desk audits, will not start being selected until around July 8th.

Q4. Is the Business Associate section on the questionnaire asking if you are a business associate or wants you to give information regarding your business associates you are working with.

In the audit pre-screening questionnaire template published by OCR, questions 24 through 30 are directed at the Business Associate. In other words, they are clearly designed for Business Associates to answer directly. It seems that it’s intended to be used by everyone and that, with the exception of section one, the recipients are meant to only complete the sections that apply to them. The questionnaire is divided into the following sections:

• Basic Description Information About Your Organization (1-4)
• Healthcare Providers (5-13)
• Health Plans (14-19)
• Healthcare Clearinghouses (20-23)
• Business Associates (24-30)

It is worth noting too, as discussed during the webinar, that covered entities will also be asked to provide a list of Business Associates. They provided a template for this purpose here.

Q5. How many audits will be conducted?

Based on recent indications there will be 222 desk audits. Of these, 182 will be covered entities and 40 will be business associates. From this pool, 10 will be selected for onsite audits and these ten will not be selected randomly but based on the findings of the desk audit. You really don’t want an on-site audit.

Q6. At what point will the OCR charge a covered entity or business associate with a "violation"? 

OCR will not levy fines as a result of audits alone. However, it’s possible that the OCR could decide to begin a formal “compliance review,” which could lead to fines, based on poor performance of an audit. However, based on an interview Steve heard with Deven McGraw, Deputy Director of Health Information Privacy for OCR, the objective of the audit program is quality oversight, not enforcement, and OCR does not anticipate compliance reviews to result except, possibly, in really egregious cases. If it happens, it would likely be limited to the one of the 10 entities selected for an onsite audit.

Q7. Does a CE need to have a separate HIPAA Privacy Risk Assessment?

The privacy rules do not have an equivalent regulation to the explicit safeguard in the security rules requiring a security risk analysis. However, the privacy regulations do have a single standard (§164.530(c)) requiring organizations to implement administrative, physical and technical safeguards. A review of this standard in the actual audit protocol is very general and does not specify a documentation requirement for a “privacy risk assessment”. However, organizations may benefit from a “privacy audit” to review compliance with standards.

Q8. How long from the time a questionnaire is sent back before an audit request is received?

We have heard of turn-arounds as short as one day and another case where a person has submitted the contact form and hasn’t heard back for over two weeks. I suspect that the turnaround is normally pretty fast, within a few days. All contacts receiving the contact request form should, eventually, receive the pre-audit questionnaire. 

Q9. On the pre-audit questionnaire to CE - why do they ask for the total revenue of the fiscal year?

The purpose of the pre-audit questionnaire is to identify a broad range of entity types to be audited. Fiscal year is, presumably, one of a few questions to help determine the size of organizations as a selection criteria. 

Check back tomorrow for Part 2 of our HIPAA OCR Audits Q&A. 

And if you would like to see the on-demand recording of the webinar from which these questions arose, just click the button below: