As part of the OCR’s continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the OCR has begun their next phase of audits (Phase two) of randomly selected covered entities AND their business associates.

Audit checklist on a desk, with tick against audit satisfactory
Audit checklist on a desk, with tick against audit satisfactory

Selected covered entities began receiving letters on Monday, July 11, 2016. Communications from the OCR will be sent via email and could potentially be incorrectly identified as spam. If your entity’s spam filtering and virus protection are automatically enabled, the OCR expects you to check your junk or spam folder for any emails from you can view a sample email of the letter here.

Who will be audited?

Every covered entity and business associates are eligible for an audit. These include covered individuals and organizational providers of health services; health plans of all sizes and functions and a range of business associates of these entities.

How will the process work?

Once the OCR verifies contact information a questionnaire will be sent out to gather data about the size, type, and operations of potential auditees. The questionnaire will be sent to both covered entities and business associates. All covered entities will be expected to submit a list of each business associate along with contact information.

Any entity that does not respond to the OCR may be selected for an audit or be subject to a compliance review.

How will this affect medical billing companies?

Most medical billing companies are considered business associates. It is not only imperative that a covered entity have a business associates agreement in place but that the business associate is completely HIPAA compliant. Many billing companies assume that the business associates agreement is all that is needed. That’s simply not true. The phase two audits will focus on not only the covered entity but the business associates they do business with.

PMRNC has a full HIPAA area in our members only area. Medical Billing companies can also see various samples of compliant business associate agreements as well as guidance on how to maintain compliance as a business associate.  PMRNC has also developed a certification to help medical billing professionals attest to their HIPAA knowledge. This certification is the Certified HIPAA Information Specialist (C.H.I.S.) and is awarded to those who complete and pass the exam. Learn more about the C.H.I.S.!

Also see our special certification challenge!  Purchase one of our certification exams within the next 10 days, score a 90% or better and receive an opportunity to take the second certification exam FREE! 

HIPAA Audit Program Phase Two is Underway!