The US Department of Health and Human Services Office of Civil Rights (OCR) recently announced that it has activated Phase 2 of the HIPAA Audit Program. OCR’s new Phase 2 will focus on reviewing the policies and procedures of covered entities and their business associates to verify HIPAA compliance.  OCR has reportedly started to send out emails to obtain and verify contact information for covered entities and business associates of various types for possible inclusion in the pool of potential audit subjects.  Now is the time for your organization to prepare for a potential audit.

Why Now?

As we previously noted, last fall the U.S. Department of Health and Human Services Office of Inspector General issued a report in which it criticized OCR for lack of enforcement under HIPAA.  OCR agreed with OIG’s findings and vowed to update its audit program to use both (1) desk reviews of policies as well as (2) on-site inspections.  OCR stated that this new audit program will target specific common areas of noncompliance and will include audits of business associates.

Who Will Be Audited?

OCR has stated that both covered entities and business associates may be audited.  However, given the fact that business associates were not big audit targets during prior OCR audit programs, it would not be surprising to see a higher number of business associates during Phase 2 to be subject to OCR audits.

On What Basis Will Audit Subjects Be Selected?

OCR has indicated that it hopes to identify “pools of covered entities and business associates that represent a wide range of health care providers, health plans, health care clearinghouses and business associates.” OCR is seeking to establish sampling criteria to cover a broad spectrum of potential audit subjects.  OCR will conduct a random sample of entities in the audit pool.  Selected audit subjects will then be notified of their participation.

How Will the Audit Program Work?

OCR has announced plans to conduct desk as well as on-site audits for both covered entities and business associates. The first set of audits will be desk audits of covered entities followed by a second round of desk audits of business associates. The third set of audits will be onsite and will examine a broader scope of requirements than desk audits. Some desk auditees may be subject to a subsequent on-site audit.

What Can Organizations Do to Prepare for Phase 2?

Both covered entities and business associates should be on the look-out for emails from OCR to confirm the entity’s contact information.   In addition, OCR advises that covered entities prepare a list of each business associate with contact information so that they are able to respond to this request.  If an organization’s HIPAA compliance program is not where it needs to be, consideration should be given to  focusing on key areas that OCR has previously identified as areas of heightened focus:

• Conduct and complete security risk assessments, including maintenance of an up-to-date inventory of IT systems and mobile devices,
• Evaluate encryption and other addressable implementation standards, and document rationale for decisions not to adopt such standards,
• Ensure organization has adopted breach notification policies,
• Confirm workforce members have received appropriate HIPAA training, and
• Confirm that the organization’s policies and actual practice ensure that patients and consumers are able to rightfully access their health information.

For example, the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.  The Breach Notification Rule is discussed at the HHS website here.

Stay tuned for further developments.