By Christine A. Williams, Of Counsel
Perkins Coie LLP, Los Angeles, CA
The Department of Health and Human Services (HHS) has begun a pilot program of HIPAA privacy and security audits for health care providers and health plans, and the audits will have some very short turnaround times.
The Pilot Program
The pilot program will be in two phases. First, a small number of audits will be performed to test the audit protocols and make any necessary revisions. The rest of the audits will be performed using the revised protocols and will be completed by the end of 2012. The pilot program will focus on covered entities of all sizes, including health care providers, health plans and health care clearinghouses. Business associates will be included in future audits.
Short Turnaround Times
The planned timeline for the audits is aggressive. As described by HHS, an audit notification letter describing the initial documents and information to be turned over will be sent to a covered entity. The covered entity is then expected to provide the documents and information within 10 business days. Every audit in the pilot program will include on-site fieldwork. The covered entity will receive notice of the visit 30 to 90 days before it occurs. The on-site visit may last from three to 10 business days, during which time the auditor will observe the covered entity's operations and interview key personnel. A draft audit report will be made available to the covered entity within 20 to 30 days after the visit concludes. The covered entity will have 10 business days to review and discuss the draft with the auditor. Any corrective action that the covered entity would need to undertake will need to be addressed during this period. The final audit report will be submitted to HHS within 30 business days after the covered entity reviews and comments on the draft.
Some Good News
Despite the short turnaround times in the audit process, there is some good news. There will not be a posted list of audited entities, and audit findings will not be disclosed in a way that would identify the audited entity. In addition, the audit reports will generally be used to identify issues that need additional technical assistance rather than to impose penalties. However, if an audit identifies a serious compliance issue, HHS may take action to address the problem.
If you receive an audit notification letter and have questions about whether your documentation and operations are in compliance with the regulations, speak with your attorney immediately-there's no time to waste.
Be ready to give the auditor a copy of your HIPAA privacy and security policies and procedures. The regulations require that they be documented in writing (both hard copies and electronic documentation are acceptable), and although HHS has not stated what the auditors will ask for, the policies and procedures will almost certainly be the starting point.
Take advantage of the opportunity to review the draft audit report and discuss any appropriate corrective action with the auditor. If the auditor has misunderstood your policies or procedures, or failed to grasp any aspect of your operations, provide a clarification for the final audit report.
For more information, in the Tax Management Portfolios, see Cowart, 389 T.M., Medical Plans - COBRA, HIPAA, HRAs, HSAs and Disability, and in Tax Practice Series, see ¶5920, Health & Disability Plans.
© 2011 Perkins Coie LLP
Copyright©2012 by The Bureau of National Affairs, Inc.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)