Section 13411 of the HITECH Act requires the Department of Health and Human Services (“DHHS”) to audit covered entities and business associates to ensure that they are complying with HIPAA’s Privacy, Security, and Breach Notification Rules.
DHHS completed the Phase 1 Audits of 115 covered entities in 2011 and 2012 with the evaluation of the audits completed in 2013. The Phase 1 Audits were onsite audits conducted by KPMG, a large accounting firm. Among other findings, the audits revealed that 47 out of 59 providers had not performed a complete and accurate risk analysis. Nor had 20 of 35 health plans done so.
Significantly, 30 percent of the violations were due to the covered entity not being aware of the HIPAA requirements. Other causes were lack of sufficient resources, incomplete implementation, and complete disregard of the requirements.
The Phase II Audits will target covered entities (health plans of all types), health care clearinghouses, individual and organization providers, and business associates. Providers who are selected for audit will be asked to identify their business associates. The audits will cover a broad range of the foregoing, including group health plans, physicians and group practices, mental and behavioral health, dental practices, hospitals, and laboratories. DHHS will target those areas that were identified as being common compliance failures in the Phase 1 Audits.
These audits will not be onsite audits. Instead, DHHS will conduct desk audits of documentation submitted by those selected for audit. DHHS will specify what documentation the covered entity or business associate must submit. DHHS will consider only information that is submitted on time and that is current as of the date of the request.
This method of audit proves our main point for HIPAA compliance: if it’s not written, it’s not. You must have all the required policies, procedures, plans, and records, such as training records and security incident reports, to survive a desk audit. DHHS has provided guidance.
If you have no idea where to start or wonder whether you are sufficiently compliant to survive an audit, order our HIPAA Compliance Library, our Gap Analysis package, our Risk Analysis package, my policies and procedures guide with accompanying CD, do everything that we tell you to do, keep all of written the documentation of everything that you do to achieve compliance in Your Happy HIPAA Book, and rest easy.