Punishment Phase of ObamaCare Begins

helpyouGet ready. Government men are spreading out over the fruited plains seeking to mete out punishment to employers who sponsor self-funded employee welfare plans……….

Healthcare Providers, Health Plans, & Health Insurers – Are You Ready? HIPAA Phase 2 Audits Have Begun

By Garrett J. Dowd on April 22, 2016Posted in Affordable Care Act (ACA), Plan Administration

Attention health care providers – both individuals and group practices – as well as health insurers, HMOs, self-funded health plans, clinics, nursing homes, pharmacies and other covered business entities – start checking your inboxes or your spam folders today:  Phase 2 of the HIPAA Audit Program is here.

Are you ready?

The Office for Civil Rights (OCR) of the Department of Health and Human Services has begun emailing letters to a broad range of HIPAA covered entities – medical and health care providers, health plans and health care clearinghouses – requesting verification of their primary contact.  OCR is doing this as the first step in its latest effort to assess and enforce compliance with HIPAA’s complex privacy, security and breach notification rules.  Covered entities will have only 14 days to respond.  OCR will then email the entities’ identified contacts pre-audit questionnaires requesting information about their size, type of entity and operations and a list of all of their business associates and contact information for them.  OCR will use the entities’ responses to develop pools of potential auditees, from which it will randomly select entities and their business associates for the two types of audits described below.

Note that failure to return the questionnaires will not exempt an organization from being audited.  OCR will simply turn to publicly available information and assign entities to pools on that basis.  (And a failure to respond may catch the attention of OCR, which may be more interested in pursuing investigation and enforcement actions against non-responsive entities.)

The Phase 2 audit program (like Phase 1 before it) is mandated under the Health Information and Technology for Economic and Clinical Health (HITECH), which requires HHS to periodically audit covered entities’ and business associates’ HIPAA compliance.  Phase 1, conducted in 2011 and 2012, was a pilot program to assess the controls and processes of 115 covered entities to test and develop audit protocols.  Now Phase 2 has arrived to allow OCR to further examine the mechanisms for compliance, uncover risks and vulnerabilities, identify best practices, and create tools and guidance that will help entities to get out in front of problems before breaches happen.  Further, because Phase 1 exposed widespread noncompliance with HIPAA rules, OCR may conduct Phase 2 audits with an emphasis on enforcement efforts, including civil monetary penalties and resolution agreements.

Phase 2 will begin with two rounds of desk audits, first of covered entities and then their business associates.  This will be followed by a round of more detailed onsite audits of both covered entities and business associates.  In a desk audit, OCR will email auditees it has selected a letter requesting certain documents, which must be submitted on-line within 10 business days in digital form via a new secure audit portal on OCR’s website.  OCR auditors will examine the documents and write a draft audit report, which they will share with auditees.  Auditees will have 10 days to comment on the draft report; their written responses will then be included in the final audit report, which will be due within 30 days after the auditees have commented.  The desk audit portion of Phase 2 is to be completed by the end of December 2016.

Then OCR will start a round of the more comprehensive onsite audits to examine a broader range of compliance issues under HIPAA’s privacy, security and breach notification rules.  (Note that organizations that have already been desk-audited may also find themselves chosen for an onsite audit.)  For an onsite examination, first the auditors will schedule an entrance conference and provide information about the process of and expectations for the audit.  The audits themselves will take three to five days, depending on the entity’s size.  As with the desk audits, a draft report will be prepared for the auditees’ comments (which must be provided within 10 days), and a final report is due within 30 days after the auditees have commented.

Because of the tight deadlines for responding to OCR’s inquiries, health care providers, health insurers, health plans and others should prepare now.  First, decide who in the organization will be the primary contact.  If your organization is so large that answering OCR’s queries could prove burdensome to one employee, consider creating an audit team to handle different aspects of the audit.  Assemble a list of all business associates, with contact information and copies of all business associate agreements.  Finally, begin to gather documents likely to be requested, such as the entity’s policies and procedures relating to HIPAA’s privacy, security and breach notification rules; current notices of privacy practices (with any updates); copies of any risk assessments and descriptions of efforts to address identified risks; documentation of any employee training on accessing, handling, storing or disposing of personal health information (PHI); any logs of requests for access to PHI; and particularly any potential or actual unauthorized disclosures of unsecured PHI (and all documentation of the related investigation, all efforts to mitigate any harmful effects of a breach, any disciplinary procedures on account of the breach, and any notifications the entity had to make).

For an overview of the HIPAA compliance obligations of covered entities and business associates, please refer to our Health Care Practice Legal Update found on our website here.