What To Expect When You Are Expecting… A HIPAA Audit

Searching through your email at the start of the workday, and there it is, staring straight at you – an e-mail from the Department of Health and Human Services’ Office for Civil Rights (OCR) asking questions regarding your contact for the HIPAA audits. Can you believe it?? The first contact with the OCR regarding HIPAA Audits!! What are they asking? What can you expect?

E-mail #1 – Audit Contact Verification

The first point of contact that you will receive from OCR is an e-mail requesting that you verify who your contact is for the HIPAA Audit Program. The challenge with this e-mail is it is not easy to understand or determine who this e-mail will go to within your organization. Additionally, many organizations are finding that this e-mail is ending up in junk mail or spam. Lessons learned – have all leadership check e-mails regularly (including junk and spam) and have IT run scans through e-mail searching for e-mails from the OCR.

Audit Contact Verification Steps

• Monitor e-mail on all leadership and internal compliance contacts
• Regular scan e-mail system for an e-mail from [email protected]
• Look in spam and junk folders on a daily basis
• Discuss internally who should be the appropriate contact at your organization
• If the e-mail is received, respond quickly and ensure you met the deadline set in your e-mail

Here is the sample letter from the OCR regarding contact verification. The only difference seen from this letter to the actual letter is you only have FIVE (5) days to respond and confirm the contact.

E-mail #2 – OCR Audit – Entity Screening Questionnaire

Once you have confirmed your contact from e-mail #1, it is clear who will receive the additional communications regarding the HIPAA Audits. Within a few days of the confirmation of the contact, most covered entities are receiving the second e-mail from the OCR regarding the audits – the entity screening questionnaire. The purpose of this e-mail is to gather demographics and information regarding the covered entity.

A list of all questions on the screening questionnaire can be found here. The questionnaire consists of 30 questions that help the OCR understand your specific organization (the number of questions answered will vary based on the type of covered entity you are). The information they will gather varies from the type and size of your organization to the activities you do with third-party vendors. You will enter the information into an electronic system created by the OCR. It is wise to start to gather the information now in the event you are asked as you will only have approximately 30 days to respond to the questionnaire.

Entity Screening Questionnaire Steps

• Check e-mail to watch for the questionnaire e-mail
• Review and start to complete the entity screening questionnaire
• Answer the questions appropriately and save all the answers
• Conduct at least one review of the information provided prior to submitting the information to the OCR
• Once submitted, start to evaluate HIPAA compliance with the HIPAA Audit protocol

The healthcare industry hasn’t seen much additional communication being sent from the OCR after the screening questionnaire. Most likely because the OCR hasn’t officially started the actual HIPAA audit process. They are still in the process of gathering contacts and information regarding individuals that will be put into the selection pool for the audits. According to the OCR, the audit selection will be a random sample from the pool of individuals that have completed the entity screening questionnaire. The actual audits have been rumored to start in early summer 2016. The biggest piece of advice is to be prepared and ready in the event that you are selected. Don’t wait and assume you will not be selected. Time is critical with the 2016 HIPAA audits.