HIPAA audits intensify with document requests for 'unlucky' providers

More than 150 healthcare organizations received document requests last week as part of the second phase of HIPAA audits, according to the Health and Human Services Office for Civil Rights.

The office emailed requests for documents to 167 HIPAA-covered providers, health plans and other entities on July 11, with responses due July 22. The documents requested concern provisions of HIPAA's Privacy, Security and Breach Notification rules, including breach notification requirements for people whose health information may be at risk.

“The protocol that has been posted is incredibly detailed, so this will be a fast and painful event for those entities unlucky enough to be selected,” Kirk Nahra, an attorney with Wiley Rein told Bloomberg BNA.

Other than submitting the requested documents, the audits shouldn't be too taxing on providers as the “primary purpose of the audit program is to gather information for future guidance and education,” Nahra said. He suspects OCR will take action only if an entity is found to have a complete lack of compliance with HIPAA protocol.

Covered organizations that have fallen behind on or refused to comply with HIPAA compliance obligations may be setting themselves up for a field audit later this year, shared Eric Fader, an attorney with Day Pitney LLP.

“It may still be possible for them to polish up their documents and procedures in time to mitigate OCR's wrath somewhat, and I would urge them to perform a top-to-bottom self-assessment and fix what they can, but we will undoubtedly see future settlement announcements from among this pool of auditees,” Fader shared with Bloomberg BNA.

The second phase of HIPAA audits, which was announced in March, will target healthcare providers as well as business associates. Audits of business associates are slated to begin in fall, the OCR said.