The HHS Office for Civil Rights (OCR) announced that it has begun Phase 2 of its HIPAA audit program. Audits will be conducted of covered entities and their business associates. (In its pilot audit program in 2011-12 OCR audited only covered entities, not business associates.) OCR is conducting the audits to assess the extent of compliance (or non-compliance) with the HIPAA Privacy and Security standards and implementation specifications and the Breach Notification Rules. The audits will not cover state-specific privacy and security rules.
These audits will primarily be desk audits, although some on-site audits will be conducted if the desk audit reveals a serious compliance issue.
OCR will evaluate the results and procedures used in these phase 2 audits to develop their permanent HIPAA audit program.
Action Steps for Employers and Others
To prepare for a possible HIPAA audit, employers who sponsor group health plans (these are one category of “covered entities”) and business associates should review their compliance with HIPAA’s Privacy, Security and Breach Notification Rules, and take any necessary steps to ensure they are in compliance with all HIPAA requirements. This might include reviewing HIPAA privacy and security policies, Breach Notification procedures and statements, business associate agreements, and workforce training materials.
What to Expect – Soon
OCR is sending emails to selected covered entities and business associates to create its audit subject pool. OCR notes that spam filtering and virus protection features may incorrectly classify communications from OCR as spam, and recommends that covered entities and business associates check their junk or spam email folders for emails from OCR. An entity that fails to respond may still be selected for an audit or subject to a compliance review, since OCR will use publically available information about the entity. OCR will send selected entities a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees.
What to Expect – Later
OCR will email entities selected for an audit and send a document request letter. Documents should be submitted on-line via a new secure audit portal on OCR’s website. Audits generally will not be conducted in person, but auditees should be prepared for a site visit when OCR deems it appropriate. Auditors will review documents entities submit and will share draft findings with the entity. Auditees will have 10 business days to review and return written comments, if any, to the auditor, and their written responses will be included in the final audit report. The auditor will complete a final audit report for each entity within 30 business days after the auditee’s response, and will share a copy of the final report with the audited entity.
OCR expects to complete these desk audits by the end of 2016 and will post updated audit protocols on its website soon. The audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking. OCR suggests that covered entities and business associates may want to use the audit protocol as a tool to conduct their own internal self-audits as part of their HIPAA compliance activities.
Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity. However, under the Freedom of Information Act (FOIA), OCR may be required to release audit notification letters and other information about these audits upon request by the public.
Additional information about OCR’s Phase 2 Audit program, in the form of questions and answers, is on the OCR website here .
For the Leavitt article in 2012 about OCR’s Phase 1 HIPAA Audit program (Pilot Program), click here.