U.S. government starts privacy audits

It has been announced that the OCR would audit a wide range of types and sizes of covered entities, which include pharmacies. Initially, the audit program will focus only on HIPAA-defined covered entities, and not on business associates. Since a pharmacy is (in most cases) a HIPAA-covered entity by definition, it would be subject to a possible audit by the federal government in the form of an OCR audit.

After the OCR selects the entities for the pilot audit program, it will notify them in writing and ask them to provide documentation of their privacy and security compliance efforts. The notification will explain the audit process and goals and describe the initial document and information request. It will specify how and when the covered entity is to return the requested information to OCR's officially designated auditor (KPMG) that it has contracted with. The reply date is 10 business days from the receipt of the notice.

Every audit in the pilot phase will include a site visit anywhere from 30 to 90 days after the notification letters are mailed. The OCR expects each on-site visit to take between 3 and 10 business days depending on the complexity of the organization. During the site visits, the auditors will interview key personnel and observe processes and operations to help determine compliance.

Following the audit, the auditors will provide the covered entity with a draft report. The covered entity will have 10 days to review and provide comments on the report, and then the auditor will complete a final report within 30 business days after receiving that response. Among other things, the final report will describe the steps the entity has taken to resolve any compliance issues and institute any best practices.

OCR contends that the audits are intended to be a compliance improvement exercise for covered entities. However, should an audit report indicate a serious compliance issue, OCR could undertake its own independent compliance review to address any perceived deficiences. Unlike in the case of privacy or security breaches, OCR will not post a listing of audited entities nor will it otherwise identify the audited entity when sharing its findings and conclusions.

Pharmacies should undertake meaningful preparation for this new audit exercise by reviewing and updating their policies and procedures and making sure that proper training of employees has been implemented, among other things. Affected organizations should ensure their compliance obligations are being operationally implemented and that they are able to identify and respond to audit notification letters and respond within the defined audit time frames.

This article is not intended as legal advice and should not be used as such. When legal questions arise, pharmacists should consult with attorneys familiar with the relevant drug and pharmacy laws.

Ned Milenkovich is a member at McDonald Hopkins, LLC, and chairs its drug and pharmacy practice group. He is also Vice-Chairman of the Illinois State Board of Pharmacy. Contact Ned at 312-642-1480 or at nmilenkovich@mcdonaldhopkins.com
.