HIPAA Audit Program Phase II – Have You Been Selected?

Phase II of the HIPAA Audit Program has begun, with many covered entities and business associates receiving a “Audit Entity Contact Verification” message from the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR). The communication requires the individual recipient to verify that he or she is the primary contact for the HIPAA Audit Program.

Does the receipt of this form mean that your entity has been selected for an audit? Not necessarily.

Although receipt of the communication is not a guarantee of an audit,  it is the first step in a process that may lead to a comprehensive HIPAA compliance audit of your entity.  According to OCR, the process for the HIPAA Audit Program is as follows:

1. Contact Verification: OCR will send the Audit Entity Contact Verification to a covered entity or business associate to determine the entity’s primary contact for HIPAA purposes. Covered entities and business associates who receive the form should respond and not ignore the OCR’s request for verification.  The OCR has made it clear that entities who do not respond could still be subject to an audit.

2. Questionnaire: After the entity’s contact information is verified, the OCR will send a questionnaire to each covered entity and business associate to determine the size, type, and operations of the entity.  Covered Entities will also be required to identify each of their business associates. OCR will use this data to develop the pool of potential auditees for the HIPAA Audit Program.

3. Selection: OCR will then randomly select entities from the pool for audit.  If selected, the entity will have to visit an OCR web site and upload its HIPAA privacy policies, security policies, and most recent risk assessment. Based on the information uploaded, it is possible that OCR will arrange for an on-site visit of the entity.

The bottom line is that your receipt of the Audit Entity Contact Verification message does not necessarily mean that your entity will be selected for a HIPAA audit.  However, your entity will likely be placed into the pool from which OCR will select entities to audit.

If nothing else, the receipt of the Audit Entity Contact Verification communication should motivate your entity to review current HIPAA privacy and security policies and ensure that they conform to the requirements of HIPAA and the HITECH Act.  In addition, your entity should perform an updated risk analysis to uncover and address gaps in your HIPAA security policies and procedures.

A basic risk analysis should include the following components:

1. Inventory: An inventory listing all of your information assets that contain health information (e.g. computers, laptops, smartphones, etc.);
2. Threats: Potential threats to the security of your information assets;
3. Controls: Current controls to safeguard the assets against the threats;
4. Vulnerabilities: Any vulnerabilities in the controls;
5. Likelihood: The likelihood that the threats will exploit the vulnerabilities;
6. Impact: The impact if the vulnerabilities are exploited (e.g. how much health information is at risk); and
7. Risk: The overall risk of a threat based the likelihood and potential impact of the threat’s exploitation of a vulnerability.

It is important to develop policies and procedures to address any risks that your entity uncovers as a result of the risk analysis.

Although the HIPAA Audit Program can be a source of anxiety for covered entities and business associates, it can also be a great opportunity to update HIPAA policies and procedures and ensure that your entity is doing everything possible to safeguard health information.

For more information about the HIPAA Audit Program and HIPAA compliance issues, please contact Casey Moriarty.