On March 21, the Office for Civil Rights (OCR) announced the second phase of its mandated audit program. In the first phase, OCR primarily audited organizations that had reported a serious breach or against whom a complaint had been filed. In this second phase, OCR will proactively “review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”
The first step in this process will be an email to covered entities and business associates requesting updated contact information. If there is no response, OCR will utilize publicly available information to create the pool for their audits.
If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publically[sic] available information about the entity to create its audit subject pool. Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review. Communications from OCR will be sent via email and may be incorrectly classified as spam. If your entity’s spam filtering and virus protection are automatically enabled, we expect entities to check their junk or spam email folder for emails from OCR.
If you receive an email from OCR, it does not mean you will automatically be audited, but not responding to the email will not protect you from audit.
We have been writing about HIPAA since 2008, when I first started writing this blog. A search of our blog posts since then turned up 62 mentions of the Health Insurance Portability and Accountability Act. This is an important issue for all covered entities and their business associates. If you do not know what those terms mean, if you have no Privacy Practices or documented Security Procedures, it is time you get some. If you have not trained new staff about HIPAA, now is the time to do so.
Willful neglect of these requirements will get you in big trouble if you have a breach. Being a small provider of behavioral health services does not protect you. Perhaps it is time for you to review your Risk Assessment, Privacy Notice, Privacy Practices, and Security Procedures just in case you are selected for audit.
Please share your comments in the box below.