Under ERISA, plan fiduciaries have a duty to act prudently. Increasingly, this has been understood to consist of protecting health plan information. To ensure you have met your fiduciary obligations, you should work with your plan professionals to design procedures for safeguarding information that is stored onsite and with third-party vendors. HIPAA established important national standards for the privacy and security of protected health information. The Health Information Technology for Economic and Clinical Health Act (HITECH) established breach notification requirements to provide greater transparency for individuals whose information may be at risk. HITECH requires the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to conduct periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules.  In 2011 and 2012, OCR implemented a pilot audit program to assess the controls and processes implemented by 115 entities to comply with HIPAA’s requirements.  OCR then conducted an extensive evaluation of the effectiveness of the pilot program.  Drawing on that experience and the results of the evaluation, OCR is implementing phase two of the program.  Health plans of all sizes and functions are eligible for an OCR audit under phase two of this program.

OCR plans to conduct both desk and onsite audits. The first set of audits will be desk audits and will examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules and auditees will be notified of the subject(s) of their audit in a document request letter.  All desk audits in this phase will be completed by the end of December 2016.  The onsite audits will examine a broader scope of requirements from the HIPAA Rules than the desk audits.  It’s also important to note that some desk auditees may also be subject to a subsequent onsite audit.

In the coming months, OCR will notify those entities selected, via email, about their selection for a desk audit. The OCR notification letter will introduce the audit team, explain the audit process, and discuss OCR’s expectations in more detail. In addition, the letter will include initial requests for documentation. OCR expects entities that are the subject of an audit to submit requested information via OCR’s secure portal within 10 business days of the date on the information request.  All documents are to be in digital form and submitted electronically via the secure online portal.  After these documents are received, the auditor will review the information submitted and provide the auditee with draft findings.  Auditees will have 10 business days to review and return written comments, if any, to the OCR auditor.

Similarly, entities will be notified via email of their selection for an onsite audit. The auditors will schedule an entrance conference and provide more information about the onsite audit process and expectations for the audit. Each onsite audit will be conducted over three to five days, depending on the size of the entity. Onsite audits will be more comprehensive than desk audits and cover a wider range of requirements from the HIPAA Rules. Like the desk audit, entities will have 10 business days to review the draft findings and provide written comments to the auditor.

In either case, the auditor will complete a final audit report within 30 business days after the auditee’s response.  OCR will also share a copy of the final report with the audited entity.

These OCR audits are primarily a compliance improvement activity to ensure the safeguarding of participant information. OCR will review and analyze information from the final reports. The aggregated results of the OCR audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules. Generally, OCR will use these audit reports to determine what types of technical assistance should be developed and what types of correctiveThese OCR audits are primarily a compliance improvement activity to ensure the safeguarding of participant information. OCR will review and analyze information from the final reports. The aggregated results of the OCR audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules. Generally, OCR will use these audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful to the entities. Through the information obtained from these audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing future breaches.  Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate and assist. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity. However, under the Freedom of Information Act (FOIA), OCR may be required to release audit notification letters and other information about these audits upon request by the public.  In the event OCR receives such a request, it will abide by the FOIA regulations.

To prepare, health plans should confirm that they have met the full range of HIPAA compliance obligations, including maintaining written privacy and security policies, amending plan documents, maintaining a Notice of Privacy Practices, and executing updated Business Associate Agreements with plan professionals and vendors.  In addition, as indicated above, communications from OCR will be sent via email and may be inadvertently classified as spam. If your organization’s spam filtering and virus protection are automatically enabled, it is important that you check your junk or spam email folder for emails from OCR: OSOCRAudit@hhs.gov.  If an entity does not respond to OCR’s email request to verify its contact information or pre-audit questionnaire, OCR will use publicly available information about the entity to create the audit population.  Therefore, an entity that does not respond to information requests may still be selected for an audit.

For additional information visit:
http://www.hhs.gov/hipaa/index.html