HIPAA OCR Audits Q&A (Part 2)

Welcome back to Part 2 of our HIPAA OCR Audit Series (you can find Part 1 here) where I answer the next twelve questions taken from our most recent HIPAA webinar, "OCR (HIPAA Stage 2) Audits: What to Expect and How to Prepare."

Watch our on-demand recording of the webinar, and follow this HIPAA OCR Audits Q&A series to find out what your organization can do to meet compliance before you’re targeted.

Business Associates Upstream and Downstream

Q10. For Business Associates, will they be looking for BAAs with all of our other vendors who are not associated with the covered entity? and Q11. Is OCR interested in both upstream BA's and downstream (our BA's/vendors) or just our downstream BA's?

We believe you are asking, if we may re-phrase it, “whether business associates will be required to identify their upstream or downstream Business Associate vendors.” We don't know yet. But, it's safe to assume so until we learn otherwise.

Timing of Emails

Q12. Some of us received 2 letters - one stated 5 day return and the other stated 14 day return. Any idea why we received 2 letters?

Q13. I have received multiple emails for contact confirmation (4) and then multiple emails for the completion of the questionnaire (3). I was concerned about not responding to the confirmations, so I responded to all four. I sent an email to the contact address and asked if I had to respond to all three questionnaires and have not gotten a response back. Do you have any insight? and

14.We had a contact verification email that said 5 days, but it was a repeat notice from one that we found in the recipient's junk mail folder.

We have received some clarification on the multiple emails with differing days. OCR initially sent out contact requests to a database of 287 contact records from the breach database as mentioned above. Later, they then sent out a second round of emails with contact confirmation requests to a list with 10,000 email records. The second send was supposed to filter out the first but this apparently didn’t work properly. If it happened, then the later date would apply.

If you received multiple contact requests, then you don’t need to reply to all of them as long as you confirm that the request was for the same entity. However, if you received the contact request and you are the designated contact for multiple entities, you should complete the pre-audit questionnaire for each entity.

Processes and Handling

Q15. What if you are a small company and do not have a HR dept or security? Who should handle terminations?

The key issue is that you need to have a policy and procedure in place governing terminations and follow the policy. As to who should handle terminations, that depends on the specific company and situation. The documentation requirements should be handled by the HIPAA Privacy or Security Officer depending on their defined role.

Q16. Is the process: 1. Letter for contact 2. Questionnaire (aka survery) 3. Possibly selected for desk audit 4. Possible onsite audit? And are we required to respond to each item w/in 10 days?

From our webinar slide deck, which you can download for free by watching the on-demand recording, here is the process for desk audits:

1. Contact Confirmation Email
2. Pre-screening questionnaire
3. Identify Business Associates
4. Audit targets will be notified of their selection
5. Document request letter which will include the focus of the audit (Privacy, Security or Breach)
6. Targets upload requested documents via secure portal (within 10 days)
7. Auditors prepare draft findings and submit to the target
8. Targets may prepare a response to draft within 10 days
9. Preparation and sending of final report

Process for onsite audits:

1. Audit targets will be notified of their selection
2. Schedule an entrance conference and provide information about audit process and expectations
3. Conducted over three to five days onsite
4. More comprehensive than desk audits
5. Draft Report prepared and sent to target
6. 10 days to review findings and provide written comments to auditor
7. Final audit report completed within 30 business
8. OCR will share a copy of the final report with entity

Other Questions

Q17. Would a postal Carrier need a BA agreement? They see patient names on mail that goes out or comes in.

No. USPS, FedEx, couriers or any vendor whose sole purpose is to transport or transmit PHI fall under the “conduit” exception. Since no disclosure is intended by the covered entity, and the probability of exposure of any particular PHI to a conduit is small, a conduit is not a business associate of the covered entity. However, covered entities need to abide by the minimum necessary requirement when mailing documents to patients.

Q18. Do they want # of inpatients or outpatients or both?

Include the total number of inpatient and outpatient visits.

Q19. What's the best way to get beyond the 3-ring binder?

Follow the processes we laid out in the presentation. Make sure your operational practices are consistent with your written procedures. Identify the documents that “prove” you are complying and either know where they are or store them in a book of evidence or in a compliance folder on your computer.

Q20. Must we have an addendum to the BAA that states specifically the services the BA will provide?

It is certainly best practice, if not a requirement. There are nine required elements that a BAA must have. One of those elements states that the BAA must “establish the permitted and required uses and disclosures of PHI by the business associate.” I think a description of services would help fulfill this requirement. Alternatively, the BAA could reference a separate service agreement and attach it as an addendum. It is worth noting that most covered entities use “generic” language in their BAA’s and fail to uphold this requirement adequately. 

Q21. For a covered entity that may also operate as a BA should they fill out both the CE part and BA part of the questionnaire?

I would use the custom link that comes with the audit questionnaire twice, complete it once as a CE and another time as a BA.

Stay tuned for our final installment, Part 3, of the HIPAA OCR Audit Q&A. Put your questions and comments below.

Again, if you would like to watch the on-demand recording of the webinar that generated these questions, just click the button: