Desk Audits

HIPAA Desk Audits are Underway! BA Desk Audits Right Around the Corner

Sullivan Stolier Schulze & Grubb LC, 7/26/2016

On July 11, 2016, HHS Office of Civil Rights (OCR) notified 167 Covered Entities (CE) of their selection, via a random sampling process, to participate in HIPAA desk audits. Desk audits will be limited in scope to a total of seven (7) Privacy, Security, and Breach Notification Rule requirements. To review these elements go to:
http://www.hhs.gov/sites/default/files/2016HIPAADeskAuditAuditeeGuidance.pdf

Some CEs may be chosen for further review via onsite audits. Comprehensive onsite audits of both CEs and BAs will begin in early 2017. They will evaluate auditees against a comprehensive set of HIPAA compliance controls.

MECHANICS
CEs (and, later, Business Associates (BAs)), will receive two (2) separate documentation requests from OCR – one asking for a listing of policies, procedures, and/or other related documentation, and one requesting a list of all the CE’s BAs. The request will specify the documentation elements to be provided.
Each auditee is expected to:

Provide only the policies andprocedures that are relevantto the controls requested;
Provide clear, complete, andresponsive documentation toOCR; and
Auditees will not receive“credit” for a laterdocumentation submission.

If a CE/BA does not have the requested documentation, it must submit an explanation for the deficiency in its response.

Following the desk audit, OCR will prepare and share draft findings and will share them with the CE/BA. The CE/BA may respond to the draft findings in writing and those responses will be included in the final audit report. Final audit reports will describe how the audit was conducted, present any findings, and contain entity responses to the draft findings.

Note that OCR has separate, broad authority to open a compliance review of any CE/BA where significant threats to the privacy and security of PHI are revealed through the audit.

BA DESK AUDITS RIGHT AROUND THE CORNER

BA desk audits will begin in the Fall. The selection pool will be comprised largely of BAs identified by the audited CEs in their document responses.

Comprehensive onsite audits of both CEs and BAs are expected to begin in early 2017.

For some frequently asked questions and answers see:
https://www.hhs.gov/sites/default/files/Phase2AuditOpeningMeetingWebinarQ%26A.pdf

Sullivan Stolier Schulze & Grubb LC has assisted healthcare providers for many years with compliance and other healthcare regulatory issues.

Desk Audits

HIPAA Desk Audits are Underway! BA Desk Audits Right Around the Corner

BA DESK AUDITS RIGHT AROUND THE CORNER

Share This Story, Choose Your Platform!

Related Posts

Living with Billeaudeau

NEW PROCESS FOR APPEALING MEDICAID MCOS’ ADVERSE CLAIM DETERMINATIONS

Chambers USA 2017

Off-Campus Provider-Based Departments

ERISA Preemption of Claims against Managed Care Organizations