OCR issues additional HIPAA audit guidance

August 02, 2016

Health Care Alert

Author(s): Laurie T. Cohen, Valerie Breslin Montague, Lindsay Maleson

Office for Civil Rights (OCR) hosted a webinar on July 13, 2016, for the 167 covered entities selected for the OCR HIPAA desk audits. OCR released its webinar presentation and two additional documents, which include responses to the questions raised by the auditees during and after the webinar and a guidance document on the specific HIPAA standards that have been selected for audit and the corresponding audit protocols. Interestingly, the selected auditees are not being uniformly audited; rather, some have been asked about selected privacy policies and practices, others will be audited on selected security and breach notification standards, and still others received inquiries regarding selected privacy, security and breach notification standards. Furthermore, covered entities with multiple locations are being audited either with respect to one particular site or all locations in the system.

Although this OCR guidance was prepared to assist those covered entities selected for audit, the materials will also be helpful to covered entities and business associates who are assessing their current compliance with the HIPAA privacy, security and breach notification rules. The selected audit standards focus on many of the areas that have been cited in the OCR resolution agreements and corrective action plans announced in the past year. For example, covered entities being audited on the security rules standards are being asked for copies of policies and procedures regarding their risk analysis process as well as copies of their current risk analysis and the immediately preceding risk analysis. The failure to conduct or update a security risk assessment has been a recurring issue in many of the recent OCR resolution agreements.

Covered entities being audited on the privacy standards are asked to supply copies of their notice of privacy practices (NPP) and evidence that the NPP is posted on the covered entity’s website and within its facility. In addition, these covered entities are also being asked for copies of their policies and procedures addressing an individual’s right to access their protected health information (PHI), including documentation of the first five requests for PHI received in the prior calendar year and evidence that the covered entity fulfilled such requests. OCR issued two guidance documents earlier this year addressing an individual’s right to access his or her PHI, which can be viewed at http://www.hhs.gov/blog/2016/01/07/understanding-individuals-right-under-hipaa-access-their.html and http://www.hhs.gov/blog/2016/02/25/new-hipaa-guidance-accessing-health-information-fees-copies.html.

OCR has reiterated that the audit process is intended to identify industry best practices and discover risks and vulnerabilities not identified through enforcement activities. Although generally considered an educational process, it is possible that a compliance investigation can be initiated if serious issues are identified. The audit process will include business associates in the fall, and a limited number of on-site audits are expected to begin in early 2017.

The audit guidance materials are available at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/.

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Back to top