At the recent National HIPAA Summit in Washington, D.C., Jocelyn Samuels, Director of the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), and Deputy Director Deven McGraw, gave an update on the OCR’s compliance enforcement efforts, including the status of the HIPAA Audit Program, which launched Phase 2 in March 2016.

The OCR stated that they plan to complete 200-250 audits of Covered Entities (CEs) and Business Associates (BAs) over the course of three stages during Phase 2 of the HIPAA Audit Program. Currently, the OCR is in the process of evaluating documentation it received from the 167 CEs selected in June 2016 to participate in the first stage of Phase 2. Preliminary draft audit reports will soon be sent to audited CEs for their feedback, before the drafting of final reports. The OCR anticipates completing the first stage of Phase 2 by the end of 2016.

Future Outlook: Second and Third Stages for Phase 2 HIPAA Audits

In the meantime, the OCR plans to launch the second stage of Phase 2 – BA desk audits – in October 2016. The OCR will select 40-50 BAs from lists provided by stage one CE auditees to participate in stage two. Those BAs selected for the second stage will be evaluated on CE breach notification and compliance with the HIPAA Security Rule. Prior to the launch of the second stage, selected BAs will be invited to participate in a webinar hosted by the OCR, allowing the BAs to ask questions. Like stage one, selected BAs will have ten days to respond to the OCR’s request for documentation and will be given an opportunity to review and provide feedback on a draft of the report before the final version is completed.

In the next few months, the OCR will initiate the third stage, which will consist of onsite audits of select CEs and BAs. The OCR does not yet have an exact number of audits for stage three, but anticipate conducting only a small number.

After completing Phase 2 of the HIPAA Audit Program, the OCR will issue a public report, which will aggregate and address “lessons learned,” including best practices for BAs and CEs to implement.

Even for organizations not selected for participation in Phase 2, the OCR strongly encourages all CEs and BAs to review and implement the audit protocols, as most organizations that have entered into resolution agreements and civil money penalties with the OCR have been cited for not having proper risk analyses and risk assessments in place.

All of the audit protocols are available on a user-friendly spreadsheet created by MRO to assist with your organization’s preparation. To download the reference tool, please fill out the form below.

MRO will hold an informal HIPAA Q&A during the upcoming AHIMA16 convention in Booth #1020. If you’re attending the conference, please stop by.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.