GUEST BLOG: HIPAA Compliance Audits, Round 2 – Are You Ready to Rumble?

27 May 2016 Internet, IT & e-Discovery Blog Blog
Authors: Peter Vogel

My Guest Blogger Eric Levy is a senior attorney in Gardere’s Trial Practice Group who specializes in complex litigation with a focus on technology and Internet eCommerce related issues.

Over the next few months, the Office for Civil Rights (OCR) will begin the second phase of its HIPAA audit program, as part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules. This new phase focuses on reviewing the policies and procedures adopted and employed by covered entities and, for the first time, their Business Associates, to meet selected standards and implementation specifications for the Privacy, Security, and Breach Notification Rules.

The audit program actually commenced in April 2016, when OCR sent out between 500 and 1000 Audit Pre-Screening Questionnaires to designated company contacts. So on the plus side, if your organization did not receive one of these questionnaires, it is a pretty safe bet that you will not be audited by OCR this year (but check your SPAM e-mail filter – OCR has made it clear that “not getting your e-mail” will not excuse compliance, either with the requirement to fill out the questionnaire or the need to cooperate with any subsequent audit). If you did receive and complete a questionnaire, you could be getting a notice to produce documents soon!

The full audit protocol covers literally hundreds of standards and specifications, but generally speaking, OCR has confirmed the following areas of focus:

  • For covered entities being audited on privacy, OCR will look mostly at individual’s rights of access and notice of privacy practices;
  • For covered entities being audited on security, OCR will look mostly at risk analysis and management;
  • For covered entities being audited on breach notification, OCR will look at the timing and content of breach notification, and possibly any internal assessments that an actual impermissible use or disclosure of PHI was not a breach; and
  • For business associates, OCR will look at risk analysis and management and the timeliness and content of breach notifications to covered entities.

As for timing, once you receive a notice from OCR that you have been selected for a desk audit, you will have ten business days to produce whatever documents the agency has requested. While agencies, under normal circumstances, might be willing to grant an extension if you needed some more time, I would not bank on that here. Given the number of data breaches that have occurred in the healthcare industry (a recently released report indicates that roughly 90% of healthcare organizations have experienced at least one data breach in the past two years), OCR wants to evaluate compliance and it wants to do it quickly.

So don’t wait for the audit notice. Have all of your privacy compliance documents ready to go. If the request ends up being narrower than expected, it will be easier to cull out what you do not need.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.


Related Services