The U.S. Department of Health and Human Services recently announced that it would be conducting a second phase of HIPAA audits.
The audit program is intended to be primarily for information gathering, but the HHS Office for Civil Rights will assess whether to open a separate compliance review in cases where an audit indicates serious compliance issues. Therefore, it is important that dental practices have a current HIPAA risk analysis in place; that their Notice of Privacy Practices is current and acknowledgement of receipt forms are maintained. They should also have policies and procedures in place to identify and respond to breaches.
The OCR will also want to see how practices respond to patient requests to access and amend their records.
Phase 1 audits were conducted between 2011 and 2012 by consulting firm KPMG. In Phase 2, the OCR will be conducting the audits, starting in 2014 and continuing into 2015. The OCR states that it will contact between 550-800 covered entities by sending them a link to an online “presurvey.” From there, the OCR will use the results of the survey to select a projected 350 covered entities to audit.
Selected entities will be notified and sent data requests in the fall of 2014. Entities selected for audit will have two weeks to respond to the initial data request.
Audits will occur between October 2014 and June 2015.
The OCR has stated that the audits will be narrower in scope than in Phase 1. They will focus on the following areas for the Phase 2 audits:
- Security – risk analysis, risk management, device and media controls, transmission security.
- Breach – content and timeliness of notifications.
- Privacy – notice, access to records, safeguards and training.
The ADA offers a HIPAA Compliance Kit with sample policies, procedures and forms. Office breach policies and procedures should also note California requirements that are different from HIPAA requirements. Resources available on cda.org/practicesupport include “Data Breach Notification Requirements,” “Sample Notice of Privacy Practices,” and “Access to Patient Records FAQ.”
Covered entities selected for audit will also be asked for the names and contact information of their business associates. The OCR will select 50 business associates to audit in Phase 2, beginning in 2015.
Dental practices should keep an eye out in the coming months for correspondence from the OCR and are encouraged to respond to any requests in a timely manner.
For more HIPAA resources, visit cda.org/practicesupport.