The Department of Health and Human Services ("HHS") has begun a pilot program of HIPAA privacy and security audits for health care providers and health plans, and the audits will have some very short turnaround times.
The Pilot Program
The pilot program will be in two phases. First, a small number of audits will be performed to test the audit protocols and make any necessary revisions. The rest of the audits will be performed using the revised protocols and will be completed by the end of 2012. The pilot program will focus on covered entities of all sizes, including health care providers, health plans and health care clearinghouses. Business associates will be included in future audits.
Short Turnaround Times
The planned timeline for the audits is aggressive. As described by HHS, an audit notification letter describing the initial documents and information to be turned over will be sent to a covered entity. The covered entity is then expected to provide the documents and information within 10 business days. Every audit in the pilot program will include on-site fieldwork. The covered entity will receive notice of the visit 30 to 90 days before it occurs. The on-site visit may last from three to 10 business days, during which time the auditor will observe the covered entity's operations and interview key personnel. A draft audit report will be made available to the covered entity within 20 to 30 days after the visit concludes. The covered entity will have 10 business days to review and discuss the draft with the auditor. Any corrective action that the covered entity would need to undertake will need to be addressed during this period. The final audit report will be submitted to HHS within 30 business days after the covered entity reviews and comments on the draft.
Some Good News
Despite the short turnaround times in the audit process, there is some good news. There will not be a posted list of audited entities, and audit findings will not be disclosed in a way that would identify the audited entity. In addition, the audit reports will generally be used to identify issues that need additional technical assistance rather than to impose penalties. However, if an audit identifies a serious compliance issue, HHS may take action to address the problem.
|
Practical Tips
|
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.