In 2016:
After years of anticipation, federal regulators on Monday launched a new round of audits to gauge compliance with patient privacy provisions of the Health Insurance Portability and Accountability Act. The launch is starting off innocuously with emails to so-called covered entities — healthcare providers, insurance plans and clearinghouses — as well as business associates that handle patient information on behalf of those entities (a copy of the email is posted below).
The emails will simply ask to verify contact information, after which recipients will receive a “pre-audit questionnaire” seeking details on their business size and operations. From there, the Office for Civil Rights at the U.S. Department of Health and Human Services will create a pool of audit targets. The pool will “represent a wide range of healthcare providers, health plans, health-care clearinghouses and business associates,” the OCR said Monday.
If an audit turns up a “serious compliance issue,” the OCR said that further investigation may occur, which could trigger financial penalties and a formal agreement to improve HIPAA compliance.
More broadly, the agency said that it will use its findings to develop new guidance and policies aimed at strengthening adherence to HIPAA rules aimed at safeguarding the confidentiality of so-called protected health information.
It was not immediately clear how many audits the OCR intends to conduct. The agency did say that most of the reviews will be remote “desk audits,” although some in-person audits will take place. The OCR performed pilot audits in 2012, but funding for further inquiries dried up. As a result, it has relied on tips and disclosures of breaches to police HIPAA compliance. That gives the agency plenty of material, but government watchdogs have still criticized the lack of proactive oversight.
______________________________________________
DATE
Contact Person’s Name
CE/BA Name
Address
City, State ZIP
Dear Contact:
This is an automated communication from the Office for Civil Rights (OCR).
According to our records, you are the primary contact OCR should use to reach Entity Name regarding its potential inclusion in the HIPAA Privacy, Security, and Breach Notification Rules Audit Program. We are attempting to verify this email address.
Please respond within fourteen (14) days as instructed below to either confirm your identity and email address or instead provide updated primary and secondary contact information.
If you ARE the primary contact for this organization, please select the following link YES. Once the link is selected, a browser window will open and your response will be recorded.
If you ARE NOT the primary contact for this organization, please select the following link NO.
Once the link is selected, a browser window will open and your response will be recorded.
Thank you for your cooperation. If we do not receive a response from you we will use this email address for future communications with this entity. Failure to respond will not shield your organization from selection.
If you have questions or comments regarding this message, you may contact us at OSOCRAudit@hhs.gov.
Sincerely,
Jocelyn Samuels
Director
Office for Civil Rights
OFFICE OF THE SECRETARY
Department of Health and Human Services
http://www.hhs.gov/ocr