• News New Blog Banner

  • New Round of HIPAA Audits Will Include Business Associates

    Get ready for a new round of Health Insurance Portability and Accountability Act (HIPAA) audits—and this time, they're going to be even broader in scope to include not just providers and other entities, but also the "business associates" that handle patient data. And just like the first phase of audits completed in 2012, the process includes onsite visits.

    The new round of audits, conducted by the Department of Health and Human Services' (HHS) Office of Civil Rights (OCR), is aimed at a "wide range of health care providers, health plans, health care clearinghouses, and business associates," according to information from HHS. The audits will not include entities currently under investigation or under compliance review.

    The audit process will begin with entity desk audits, conducted electronically, followed by a second round of desk audits of that entity's business associates. OCR hopes to complete this phase of the process by the end of December 2016.

    After that, OCR will shift to onsite audits intended to cover "a broader scope of requirements from the HIPAA Rules than desk audits." Afterwards, auditors will provide draft findings to the entities with the opportunity to respond. Those responses will be included in a final report.

    HHS describes the audits as "primarily a compliance improvement activity" after which aggregated results will allow OCR to "better understand compliance efforts with particular aspects of the HIPAA Rules." Still, HHS says, "should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate."

    The latest audit is the second phase of a review program required by the 2009 American Recovery and Reinvestment Act, which also increased HIPAA security requirements and stipulated that a HIPAA-covered entity's business associates—companies that process, analyze, or handle data—are also subject to HIPAA rules. The first phase ended in 2012. OCR has already begun emailing providers and other entities about the startup of phase 2.

    APTA offers a HIPAA webpage with resources to help physical therapists and physical therapist assistants understand the requirements. In addition, HHS has published a helpful guide to security of health information, and recently posted an announcement about the newest round of audits, including a list of frequently asked questions.

    Think you know your HIPAA? Take this quick 5-question quiz.


    • More useless distractions which steal time from patient care. Between G-codes, documentation requirements, treatment plan protocols, PQRS, defending against CERT, RAC, OIG, OSHA, et al, we are at wit's end. Call a spade a spade.....we are paid for data collection and compliance with regs. Period.

      Posted by Baltimore Therapist on 3/30/2016 11:19 PM

    Leave a comment
    Name *
    Email *