2016 HIPAA Audits: Prologue (05:19)
Traditional handling of medical records provided opportunities for abuse and misuse. The 1996 Health Insurance Portability and Accountability Act allowed people changing jobs to retain their insurance. It also mentioned health information privacy and security, leading to HITECH HIPAA and Phase 2 audits.
HITECH HIPAA (01:51)
The 2009 "economic stimulus" bill mandated civil and criminal penalties for HIPAA violations, including business associates of covered entities, and authorized audits. See a list of items for a HIPAA "defense arsenal."
Why Should I Even Care? (02:02)
HIPAA-covered entities and business associates are administratively, civilly, and criminally liable, and exposed to mandatory penalties of up to $1.5 million and prison time. State attorneys general may bring HIPAA enforcement actions on behalf of citizens.
HIPAA Wall of Shame (04:07)
See examples of individuals and entities that have received penalties for violating HIPAA, including the Alaska Department of Health and Social Services and the Tennessee Blues.
Scope of 2016 HIPAA Phase 2 Audits (04:11)
Audits target covered entities and their business associates. Objectives include examining compliance mechanisms, identifying best practices, and discovering risks and vulnerabilities. The OCR is compiling contact information of covered entities. See a list of possible target entities.
Who is a Business Associate? (02:50)
Examples of businesses using PHI in work for covered entities include layers and law firms, consultants, accountants, individuals, and organizations. They are required to have policies, procedures, and forms to comply with HIPPA privacy, security, and breach notification rules.
Phase 2 Sampling Criteria (01:18)
Individuals or organizations with open HIPAA complaints or undergoing compliance reviews are exempt from audits. See a list of criteria for audit targets.
What to Expect (01:33)
The HHS will send an email questionnaire inquiring about entity size, type, and operation, and business associate identity and contact information. See tips on preparing a response.
Audit Target Selection (02:28)
Covered entities and business associates will be drawn from questionnaire responses or publicly available information.
Audit Protocols (01:46)
Protocols are expected to vary, depending on the target size and complexity. They do not include state laws. Audit targets are not charged audit fees or costs.
Sets of Phase 2 Audits (02:22)
Audits include desk audits of covered entities, desk audits of business associates, and occasional onsite audits. Targets will receive an HHS document request directed to the primary HIPAA contact. Responses are due within fourteen days.
Responding to Document Request (02:56)
Covered entities should submit documents online within ten business days. Audit targets will receive draft findings; responses are required. A final audit report will occur within thirty business days. Learn about the onsite audit process and use of audit results.
Compliance Review (02:44)
During audits, reviews are used when serious compliance issues are encountered. Neither audited entities nor findings will be posted; other audit information may be released under the Freedom of Information Act. Hear a list of OCR audit goals.
Next Steps (01:09)
Covered entities should expect an OCR email, identify business associates and determine their contact information, and prepare for a possible Phase 2 audit. This includes tracking deadlines for data inquiries, documents, and responses to draft findings.
Session Take-Aways (02:06)
Covered entities and business associates should respond to data inquiries and document requests in a timely manner. Phase 2 audits can lead to civil, administrative and criminal penalties. Conducting a HIPAA risk assessment can reduce exposure and liability.
Credits: 2016 HIPAA Audits: Business Associates Are Targets (00:22)
Credits: 2016 HIPAA Audits: Business Associates Are Targets
For additional digital leasing and purchase options contact a media consultant at 800-257-5126
(press option 3) or email@example.com.