HIPAA Audits Come with Short Turnaround Times

By Christine A. Williams, Of Counsel

Perkins Coie LLP, Los Angeles, CA

The Department of Health and Human Services (HHS) has begun a pilot program of HIPAA privacy and security audits for health care providers and health plans, and the audits will have some very short turnaround times.

The Pilot Program

The pilot program will be in two phases. First, a small number of audits will be performed to test the audit protocols and make any necessary revisions. The rest of the audits will be performed using the revised protocols and will be completed by the end of 2012. The pilot program will focus on covered entities of all sizes, including health care providers, health plans and health care clearinghouses. Business associates will be included in future audits.

Short Turnaround Times

The planned timeline for the audits is aggressive.  As described by HHS, an audit notification letter describing the initial documents and information to be turned over will be sent to a covered entity. The covered entity is then expected to provide the documents and information within 10 business days. Every audit in the pilot program will include on-site fieldwork. The covered entity will receive notice of the visit 30 to 90 days before it occurs.  The on-site visit may last from three to 10 business days, during which time the auditor will observe the covered entity's operations and interview key personnel. A draft audit report will be made available to the covered entity within 20 to 30 days after the visit concludes.  The covered entity will have 10 business days to review and discuss the draft with the auditor. Any corrective action that the covered entity would need to undertake will need to be addressed during this period. The final audit report will be submitted to HHS within 30 business days after the covered entity reviews and comments on the draft.

Some Good News

Despite the short turnaround times in the audit process, there is some good news. There will not be a posted list of audited entities, and audit findings will not be disclosed in a way that would identify the audited entity. In addition, the audit reports will generally be used to identify issues that need additional technical assistance rather than to impose penalties. However, if an audit identifies a serious compliance issue, HHS may take action to address the problem.

Practical Tips

If you receive an audit notification letter and have questions about whether your documentation and operations are in compliance with the regulations, speak with your attorney immediately-there's no time to waste.

Be ready to give the auditor a copy of your HIPAA privacy and security policies and procedures. The regulations require that they be documented in writing (both hard copies and electronic documentation are acceptable), and although HHS has not stated what the auditors will ask for, the policies and procedures will almost certainly be the starting point.

Take advantage of the opportunity to review the draft audit report and discuss any appropriate corrective action with the auditor. If the auditor has misunderstood your policies or procedures, or failed to grasp any aspect of your operations, provide a clarification for the final audit report.

 For more information, in the Tax Management Portfolios, see Cowart, 389 T.M., Medical Plans - COBRA, HIPAA, HRAs, HSAs and Disability,  and in Tax Practice Series, see ¶5920, Health & Disability Plans.

© 2011 Perkins Coie LLP

Copyright©2012 by The Bureau of National Affairs, Inc.