In an effort to review and examine compliance with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations ("HIPAA"), the Department of Health and Human Services Office for Civil Rights ("OCR") is conducting Phase 2 HIPAA audits for both covered entities and business associates. OCR is conducting the audits to assess new risks, identify effective privacy and security measures, and develop targeted guidance on specific areas of concern.
The first step in the audit phase is a pre-audit screening email sent to potential auditees. We have seen several of these delivered recently. A sample of the pre-audit screening email can be found here. The email contains a questionnaire addressing size, entity type, services, contact information, and other background information. The online questionnaire must be completed and returned to OCR within 30 days. Based on the responses received and the information gathered, OCR will create a smaller, representative sample audit pool. Thus, not all entities that receive the initial pre-audit screening email will be audited. However, failure to respond to the questionnaire will not remove an entity from the audit selection pool. OCR will use publicly available information about an entity if it receives no response within the 30-day timeframe.
Please see full publication below for more information.