HIPAA Privacy and Security Audit Program: The Office of Civil Rights (“OCR”), which is the division of the Department of Health and Human Services (“HHS”) that is responsible for enforcement of the HIPAA Privacy and Security Rules and the Breach Notification standards, recently announced the “pilot phase” of a HIPAA audit initiative beginning immediately and extending through December of 2012.
According to the OCR’s website, over the next year this initiative will include a broad range of HIPAA covered entities, including group health plans, health care providers, and health care clearinghouses. Although HIPAA business associates are not the target of the initial pilot program, OCR indicates that business associates will be included in future audits.
The beginning of this OCR’s formal audit program serves to highlight the importance of periodic review of group health plan HIPAA compliance by plan sponsors. This HIPAA compliance review should include, at a minimum, the following steps:
- Review of plan documentation to ensure that appropriate provisions addressing HIPAA obligations are included;
- Implementation and periodic review of written HIPAA privacy policies and procedures;
- Implementation and periodic review of required administrative, technical and physical safeguards related to electronic protected health information;
- Implementation and documentation of a risk assessment and breach notification procedures;
- Review of business associate agreements, as well as periodic audit of HIPAA compliance procedures adopted by business associates; and
- Periodic workforce training regarding HIPAA’s privacy and security requirements for those workforce members with access to group health plan information.
Conducting this compliance review in the near future will ensure that your company’s group health plan is not caught off guard by a HIPAA audit, and avoid the potential imposition of noncompliance penalties by OCR.