By Leslie Weinstein, HITRUST Solutions Director
What is HIPAA?
HIPAA stands for Health Insurance Portability and Accountability Act of 1996 and includes rules for covered entities regarding privacy, security, and reporting breaches of unsecured Protected Health Information (PHI).* Covered entities include health care providers, health plans, and health care clearinghouses. The HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI. A breach as defined by HIPAA is generally an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. The HIPAA Breach Notification Rule requires Covered Entities and their Business Associates to provide notification to the U.S. Department of Health and Human Services (HHS) Secretary of a breach.
What is a HIPAA Audit?
The Office of Civil Rights (OCR) at HHS is required by the Health Information Technology for Economic and Clinical Health (HITECH) Act to periodically audit covered entities and business associates for their compliance with the HIPAA Rules, as well as investigate complaints filed against covered entities. The audits performed assess entity compliance with selected requirements and may vary based on the type of covered entity or business associate selected for review. Every HIPAA audit starts as a desk audit which is a review of requested policies, procedures, and other related documentation.
How will OCR Notify Me of an Audit?
OCR will notify a covered entity in writing through email about their audit. The initial audit is known as a desk audit and will involve a review of the requested documentation only. The OCR notification letter will introduce the audit team, explain the audit process and discuss OCR’s expectations in more detail. In addition, the notification will provide a list of policies and documentation to be submitted to OCR as well as a list of questions regarding compliance activities.
HIPAA Audit Process
In response to the letter, OCR expects covered entities that are the subject of an audit to submit requested information via OCR’s secure portal within 10 business days of the date on the information request. All documents are required in digital form and submitted electronically via the secure online portal. After these documents are received, the auditor will review the information submitted and provide the auditee with draft findings. Entities must provide only the specified documents, not compendiums of all entity policies of procedures. The evidentiary documentation must be clear and pertinent — the auditor will not search for relevant documentation that may be contained within such compilations.
After these documents are received, the auditor will review the information submitted and provide the auditee with draft findings. Auditees will have 10 business days to review and return written comments, if any, to the auditor. The auditor will complete a final audit report for each entity within 30 business days after the auditee’s response. OCR will share a copy of the final report with the audited entity. Some OCR information requests lead to an onsite audit, however, crafting a quality narrative response and providing corresponding policies and evidence of compliance will significantly reduce the likelihood of an onsite audit.
HITRUST HIPAA Compliance and Reporting Pack
The HITRUST HIPAA Compliance and Reporting Pack is designed to significantly streamline how organizations capture and present regulatory compliance evidence. HITRUST MyCSF automatically compiles evidence from your assessment and generates a report that maps the applicable HIPAA requirements to your HITRUST CSF Assessment. To help streamline your response, MyCSF allows you to pull only the requirements OCR requests. In addition to mapping the HIPAA requirements to your HITRUST CSF Assessment, the HIPAA Compliance Reporting Pack also maps each requirement to corresponding policies and the relevant evidence that should be submitted to OCR to demonstrate compliance.
The HITRUST Regulatory Assistance Center
Gathering your compliance responses and corresponding evidence to demonstrate compliance is just half of the requirements of responding to an OCR request for information. Your response to OCR should also include a narrative response describing how you are compliant with each of the OCR selected requirements. The HITRUST Regulatory Assistance Center is staffed with security and privacy professionals who can refer you to outside attorneys and other experts familiar with HIPAA regulations and the OCR audit process.** For organizations that have a HITRUST CSF Certification, the HITRUST Regulatory Assistance Center is a free resource, that will help guide you in crafting your narrative response to accompany your documentation during the OCR inquiry.
HITRUST Can Help!
We encourage MyCSF subscribers to take advantage of HITRUST resources to address HIPAA compliance requirements.
Make sure to visit HITRUST Booth #7401 at the HIMSS Global Health Conference & Exhibition in Las Vegas, August 9-13th!
*Information about HIPAA and the HIPPA audit process summarized from: www.hhs.gov/hipaa
**The HITRUST Regulatory Assistance Center is a preliminary resource to assist organizations undergoing an audit, and use of it does not create or constitute an attorney-client relationship. To find out more or submit a request.