• linkedin
  • Increase Font
  • Sharebar

    Forthcoming HIPAA audits likely to target pharmacies

    Ned MilenkovichNed MilenkovichThe Office for Civil Rights (OCR) at the Department of Health and Human Services kicked off Phase 2 of its Health Insurance Portability and Accountability Act (HIPAA) Audit Program in March 2016. The Phase 2 Audit Program is intended to review compliance of covered entities and their business associates with HIPAA privacy, security, and breach-notification regulations. Pharmacies, among a host of other healthcare providers, health plans, clearinghouses, and business associates, are subject to possible audit in Phase 2.

    See also: CMS issues final rule for covered outpatient drugs

    Phase 1

    OCR piloted Phase 1 of its HIPAA Audit Program in 2011, evaluating more than 100 covered entities for compliance. These audits marked OCR’s initial effort to gather information on covered entities.

    Phase 1 was largely viewed by stakeholders as a “soft” approach toward compliance, intended to determine the level of technical implementation needed and the types of corrective action that a covered entity should develop. However, subsequent to Phase 1, there have been a flurry of enforcement actions taken by OCR against various healthcare entities for HIPAA violations.

    The genesis of the audit program stems from The Health Information Technology for Economic and Clinical Health (HITECH) Act, which is an amendment to the original HIPAA statute. Essentially, HITECH requires OCR to undertake periodic audits of covered entities and business associates to determine their HIPAA compliance.

    See also: OCR issues new HITECH regulations

    Early warnings

    While OCR is set to begin its Phase 2 Audit Program, it is already sending communications to potential audit candidates. Verification of entities to be audited, as well as a preliminary question list, will be sent to those entities selected for Phase 2. From the preliminary pool of potential candidates and the questions answered, OCR will then choose the final list of entities that will participate in the Phase 2 Audit Program. Notably, ignoring the initial question list sent will not prevent an entity from being chosen for the final audit pool.

    Phase 2 audits are likely to be both desk and onsite audits for covered entities and their business associates who provide services for those audited covered entities. In the first round of the Phase 2 audits, covered entities should expect desk audits, followed by desk audits of business associates. Once this has been completed, some of the audited entities will be selected for an onsite audit.

    The process

    At the onset of the desk audit, OCR will request various documents and supporting materials that give evidence of compliance with HIPAA. At that time, the responding entity will have 10 days to provide the necessary information.

    Subsequent to the response from the audited entity, OCR will review the requested documentation and send a response to the subject entity. At that time, the audited entity will review OCR’s findings and have 10 days to respond to the governmental findings.

    If an entity is chosen for an onsite audit, a date will be scheduled and the entity will be instructed about the format and the additional information that OCR will seek. The onsite audits may last up to one week. As with the desk audits, an entity undergoing an onsite audit will have 10 days to respond to OCR’s findings if it so chooses.

    If the Phase 2 audits uncover serious compliance concerns, the audited entity may undergo more rigorous compliance reviews that could ultimately lead to discipline levied by the government. This could include remediation requirements and monetary penalties.

    Ned Milenkovich, PharmD, JD
    This article is not intended as legal advice and should not be used as such. When legal questions arise, pharmacists should consult with ...

    0 Comments

    You must be signed in to leave a comment. Registering is fast and free!

    All comments must follow the ModernMedicine Network community rules and terms of use, and will be moderated. ModernMedicine reserves the right to use the comments we receive, in whole or in part,in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

    • No comments available
    Slideshows
    Small Doses: The Weekly News You Need to Know
    Small Doses: The Weekly News You ...

    Small doses is a weekly slideshow of the news you may have missed, made just for you and your busy lifestyle.

    25 Cities With The Lowest Pharmacist ...