This Month Only! >> $20 off and a FREE SHRM tote with your membership and code TOTE2018!
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Employer health plans should be on the look out for audit notifications
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
The Department of Health and Human Services’ Office for Civil Rights (OCR), tasked with completing HIPAA compliance audits, announced that it has begun Phase 2 of the HIPAA audit program. All covered entities—including
employer-provided group health plans—and their “business associates” have the potential of being selected for a desk or onsite audit. Entities should be on the lookout for e-mails from OCR soliciting contact information and, in the coming months, notification of selection for audit.
The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) require covered entities (health care providers, health plans and health care clearing houses) to comply with privacy, security, and breach notification rules with respect to individuals’ protected health information (PHI). HITECH also requires the Office for Civil Rights to conduct audits of covered entities and their business associates to ensure compliance with the HIPAA rules. OCR conducted a pilot program in 2011 and 2012 where it audited covered entities for HIPAA compliance. Now, based on the results of the pilot program, OCR is beginning the next phase of the audit program.
Phase 2 Already In Progress
Phase 2 of the audit program, under which OCR will review the HIPAA policies and procedures of covered entities and their business associates, has already begun. OCR is creating a pool of potential auditees by sending e-mails to covered entities and business associates to request and verify entity contact information.
Because OCR is communicating by e-mail and the e-mail may be incorrectly classified as spam, covered entities and business associates should regularly check spam and junk folders for communication from OCR. Check your spam folder—OCR’s e-mails may be incorrectly classified as spam. OCR’s e-mail address is:
Who Will Be Audited?
All covered entities and business associates may be audited. OCR is identifying pools of covered entities and business associates that represent a wide range of health care providers, health plans and health care clearinghouses for audit. To that end, it will consider size of the entity, affiliation with other health care organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR. (OCR will not audit entities with an open complaint investigation or compliance review.)
After OCR receives entity contact information (as noted above), it will send a pre-audit questionnaire to gather data about the size, type and operations of the entities. The questionnaire will also ask covered entities to identify their business associates. This information will be used to create an audit subject pool. OCR will randomly select entities from the pool for participation.
Failure to reply to OCR’s requests for information will not shield an entity from audit. Instead, OCR will use publicly available information about the entity to add to the subject pool.
What Can I Expect From the Audit?
While most will be desk audits, OCR will conduct some onsite audits. OCR intends to start with desk audits of covered entities followed by desk audits of business associates. A third set of audits will be onsite and will examine a broader scope of HIPAA requirements than desk audits.
OCR will notify entities selected for desk audits by e-mail. The e-mail will explain the subject of the audit and will request documents and other information. Selected entities will have ten business days to submit the requested information online through a secure audit portal on OCR’s website. OCR will also notify entities selected for onsite audits by e-mail. The auditors will schedule a three- to five-day onsite visit. Entities selected for onsite visits can expect a more comprehensive audit than the desk audits.
In both cases, the auditor will review the information and share draft findings with the entity. The entity will have 10 business days to review and comment on the draft findings. Within 30 business days of receiving the entity’s comments, the auditor will prepare a final audit report describing how the audit was conducted, any findings, and the entity’s responses to the draft findings.
Common Business Associates
What’s the Purpose of the Audit?
The audits are intended to improve compliance. OCR will use information from the audit reports to determine what technical assistance and types of corrective action would be most beneficial. It will also create tools and guidance to help with self-evaluation of compliance and prevent breaches of protected health information.
an audit reveals serious compliance issues, OCR may initiate a compliance review for further investigation.
What Should I Do Now?
The turnaround time for providing documents and other information, if selected for an audit, is very short. Entities should prepare now for the possibility of an audit. Important tasks include:
With the HIPAA audit process already begun, entities should promptly confirm that HIPAA compliance is in order. Because OCR will give very little time to provide documentation, entities should take action now to ensure a smooth process if selected.
Kimberly Mitchell, JD, and Amy Dunn, JD, MHA, are affiliated with the Knowledge Resource Center at Xerox HR Consulting. This article originally appeared in the April 8, 2016, issue of
For Your Information, produced by Xerox HR Service’s Knowledge Resource Center. © 2016 Xerox Corp. All rights reserved. Republished with permission.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
SHRM Annual Conference & Exposition
SHRM’s HR Vendor Directory contains over 10,000 companies