The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has begun phase two of the Health Insurance Portability and Accountability Act (HIPAA) Audit Program. It’s more important now than ever that your pharmacy is up-to-date with HIPAA compliance, and prepared for the very real possibility of an audit.
In phase two of the audit program, all covered entities, including pharmacies, may be audited to “review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules,” according to a March 21 post on the HHS website.
“This should be no surprise because [the OCR] has been telling people that they’re going to begin auditing people in March 2016,” said Jim Young, J.D., Director of Third Party Services at PBA Health, a pharmacy services organization based in Kansas City, Mo.
Here’s what you need to know about phase two, and the steps you can take to prepare your pharmacy for a HIPAA audit.
Initial communication
The OCR has already started sending initial communications to entities that may be audited, so be on the lookout for an email that looks like this.
“If you get one, you should know that this is something you need to respond to, and not responding to it probably isn’t a good thing,” Young said.
The OCR is sending emails to verify contact information to entities that might be audited, and some entities may also receive a pre-screening questionnaire.
“If you have any questions about answering it, it would be best to contact your HIPAA compliance service and your PSAO,” Young said.
It’s important to regularly check your email junk or spam folders to make sure you aren’t missing any communication from the OCR, as messages might be filtered out of your inbox and marked as spam. Young said it’s a good idea to add the email address, OSOCRAudit@hhs.gov, to your contact list to make sure any emails from the OCR make it into your inbox.
Even though a first round of communications has already been sent to pharmacies, Young said pharmacies should stay vigilant, as there might be future rounds.
Audit compliance
If your pharmacy is selected for a desk audit or an onsite audit, the process will begin with the OCR requesting various documentation and supporting materials that demonstrate your HIPAA compliance.
Audited entities will have 10 days to submit the necessary information, and then the OCR will review the documents. After the review, OCR will send its findings to the audited entity, and the entity will then have 10 days to review and respond to the OCR’s findings.
If the audit uncovers any serious compliance violations, the entity might have to undergo a more rigorous review that could lead to disciplinary action, ranging from remediation requirements to monetary penalties.
Preparing with prevention
While it’s difficult to predict who will be audited, or to prevent an audit, Young said your pharmacy can make the audit process simpler—and less expensive—by taking preventative measures to ensure you’re following all relevant regulations.
“A HIPAA lawyer could cost hundreds of dollars per hour,” Young said. “It’s better for pharmacies to spend a few hundred dollars per year to remain compliant, so you don’t have to spend hundreds of dollars per hour.”
Start by making sure your pharmacy has an audit response plan, and that you’re following the policies and procedures you need to be compliant. Pharmacies should also consider reviewing their business partners’ policies and procedures to make sure they’re following all applicable HIPAA regulations, and not leaving your pharmacy exposed.
Young said HIPAA regulations are numerous and complicated. While it’s important for pharmacies to follow them, it’s difficult for them to do it alone.
Partnering with a HIPAA compliance company can streamline your pharmacy’s procedures and ensure that everything from your employee training to your risk assessment and risk management plan are up-to-date and compliant.
For example, PRS Pharmacy Services, a pharmacy services company that offers a HIPAA-compliance program, has helped more than 6,000 independent pharmacies and small chain pharmacies with its program, HIPAATrack. According to the PRS website, this program offers a simple, cost-effective solution to help pharmacies remain HIPAA-compliant.
The HIPAATrack program provides pharmacy users with online HIPAA-compliance programs, employee training and tracking, and current policies and procedures to meet the latest HIPAA rules.
Jim Young, J.D., is the Director of Third Party Services at PBA Health, a pharmacy services company based in Kansas City, Mo. PBA Health provides third party contract negotiation and management services for independent community pharmacies through TriNet Third Party Network, its Pharmacy Services Administration Organization (PSAO).