Long Awaited HIPAA Round Two Audits Have Begun

round two 2Announced in the spring of 2014, scheduled to begin in late 2014, OCR announced this week that a second round of HIPAA Audits (following the original 2012 audits) has finally begun.

I have written over the last two years that audits were imminent. I admit it felt like crying wolf at one point. But my insistence all along has been to urge you, our readers, as I we do our clients, not to wait for OCR auditors to come calling.

Going To to Toe with Cybersecurity Risks

Federal Officials are not your opponent. You are more likely to find yourself facing off with cyber threats from malware and increasingly dangerous ransomware. But the real fight you are up against comes from carelessness in your internal processes, negligent or even nefarious employees, or weakness in your systems. Audit or no audit, you could are likely to find yourself sparring with some big challenges. Best to be prepared.

The Audit Process Begins with an Email Letter

HIPAA OCR Audit Letters Have Been SentInitial notification letters were sent to a sample of about 200 covered entities and business associates this week. If your company receives a letter, you have ten days to reply with some basic information.

Here is a sample of the letter sent by email which officials warn your email system’s spam blocker could pick it up. Spam filtering will not be an excuse for missing it.

Following the initial notification, more detailed questionnaires will be sent to the selected organizations. From these questionnaires, an unspecified number of desk audits will follow for both covered entities, first, and then for selected business associates.

When desk audits are completed, the company will receive a draft of auditors’ findings and will then have an opportunity to responds. A final report will include the organization’s response.

Finally, onsite audits will take place in 2017 for a subset of the sample of organizations.

If you receive a notification letter and you’re lucky enough to be part of this process, don’t panic. Hopefully, you have taken the necessary compliance and security steps in recent years, maintained good documentation, and you just need to respond in a timely manner that may be the end of it. Of course, if you received a letter and you are not confident in your organization’s ability to respond or are concerned, once you respond, about facing a desk audit or, down the road, a possible onsite audit with officials, contact us right away and we can still try to help you get ahead of it.

But Will You Receive a Letter? Probably Not.

Officials state that the audit process is a “compliance improvement activity,” not a punitive mechanism. Previous indications led us to believe that the potential for costly penalties would be higher with this round of audits. In general, the stance of enforcement officials is clearly more aggressive now than it was in 2012. In the latest announcement, OCR explains that any “serious issues” identified in audits will be referred for a more detailed compliance review.

In truth, the sampling of organization’s officials will be able to audit in this round is a tiny fraction of regulated entities and it is quite unlikely that yours will be selected.

For most of us, the HIPAA Audits are just a nice way to gauge the compliance enforcement mood of officials and, ultimately, these audits should provide some interesting data about trends. As in 2012, the audits will provide some insight into common challenges faced by regulated companies and help us all focus efforts and discussion on our best options to meet those challenges.

Audit or No Audit, You’re Still in the Ring

For now, I encourage every covered entity and business associate to do everything they can to stay one step ahead of auditors and compliance issues but also to stay ahead of any potential security incident. Of course HIPAA Compliance is not our end goal – security of patient data and organizational systems is the ultimate priority. Don’t wait for an auditor who will likely never get around to your company to tell you how you’re doing. A thorough risk assessment is your best bet for avoiding a knockout punch of a breach or attack.