Today, the U.S. Department of Health & Human Services’s (HHS) Office for Civil Rights (OCR) announced the launch of Phase 2 of its HIPAA Compliance Audit Program. (OCR’s announcement can be accessed at Audit Phase 2 Announcement and further information about Phase 2 can be accessed at Audit Phase 2 Information.) In this phase, OCR will review the policies and procedures that covered entities and business associates have adopted and implemented to meet certain standards and implementation specifications of the HIPAA Privacy, Security, and/or Breach Notification Rules. Phase 2 will consist of desk audits, with some on-site audits also conducted.

OCR promises that updated HIPAA audit protocols will be posted on its website closer to the time in which the 2016 audits will be conducted.

Selection of Audit Subjects

OCR is currently verifying entities’ address and contact information by sending emails to covered entities and business associates, requesting contact information be provided to OCR. Because OCR desires to audit a wide range of health care providers, health plans, health care clearinghouses, and business associates, OCR will then request that these entities complete a pre-audit screening questionnaire, in order to gather information about the size, type, and business/operations of the surveyed entities. The entities’ responses will be used to create pools of potential audit subjects, from which OCR will select the entities to audit during Phase 2. An entity that does not respond to OCR may still be selected for an audit or be subject to a compliance review: OCR has indicated that it will simply use publicly available information about the entity to create the audit subject pool.

As part of the pre-audit screening questionnaire, covered entities will be asked to provide a list of their business associates, together with contact information for such business associates.

Phase 2 Audits

OCR’s Phase 2 audits will be staged, with a first set of desk audits of covered entities, followed by a second set of desk audits of business associates. There will be a third set of audits that will be conducted on-site. Desk audits will examine compliance with select requirements of the Privacy, Security or Breach Notification Rule, with auditees notified of the subject of their audit in a document request letter. In contrast, on-site audits will examine compliance with a broader range of HIPAA requirements. Some covered entities and business associates who receive desk audits may be subject to a later on-site audit.

Entities selected as subjects for OCR’s Phase 2 audits will be notified by email notification letter. In the case of desk auditees, the notification letter will include OCR’s initial document requests, as well as provide information about the audit process and OCR’s expectations. Such auditees will be expected to submit the requested information to OCR within 10 business days of the date on the information request, by means of OCR’s secure internet portal.

For on-site audits, the OCR auditors will schedule entrance conferences and provide information about the onsite audit process and OCR’s expectations. Such audits will be conducted over 3-5 days on-site.

In the case of both desk and on-site audits, the auditors will provide auditees with draft audit findings. Auditees will have 10 business days to review the draft findings and provide written comments. The auditors will then finalize their audit reports within 30 business days. OCR will provide a copy of final reports to the audited entities.

OCR has indicated that all desk audits will be completed by the end of December 2016.

Use of Phase 2 Audit Results

OCR labels audits as a “compliance improvement activity.” That is, OCR will generally use the audit reports and results to determine the types of technical assistance that it should develop and the types of corrective action that would be most helpful – and to develop tools and guidance to assist in compliance evaluation and breach prevention. However, if OCR discovers a serious compliance issue, it may initiate a compliance review to further investigate the entity’s HIPAA compliance. Thus, the audits may be used as an enforcement tool – and could lead to investigations, sanctions, and monetary fines.

OCR will evaluate the Phase 2 procedures and results to develop its permanent HIPAA compliance audit program.

Takeaway: Be Prepared

OCR has warned that HIPAA compliance audits are a tool in its compliance and enforcement arsenal and that such audits could lead to compliance reviews and investigations if serious compliance issues are uncovered, so it behooves covered entities and business associates to be prepared. Several steps are evident from OCR’s announcement:

• OCR will communicate with covered entities and business associates on Phase 2 by email. Accordingly, covered entities and business associates need to ensure that such emails are not caught by spam filters/virus protection and/or check their junk or spam email folders for emails from OCR.
• During the pre-audit screening process, OCR will ask for lists of covered entities’ business associates. Covered entities need to be prepared to provide such a list with their business associates’ names and contact information.
• Regardless of whether selected for a desk audit or an onsite audit, a covered entity or business associate will face short deadlines for its response and production of compliance documentation. Covered entities and business associates need to be prepared with their current policies and procedures and the documentation required by the HIPAA Rules.

For a complete checklist of actions to take to be prepared for an OCR HIPAA audit, please see our October 1, 2014 HIPAA Audit Program Phase 2 Update.

While HHS/OCR has now launched Phase 2 of its HIPAA Compliance Audit Program, there is still time for covered entities and business associates to review their HIPAA compliance programs and become better prepared to respond to a HIPAA audit request. The time to act is now.