Audit photo for OCR audit blog

On Monday, March 21, I attended the 24th National HIPAA Summit in Washington, D.C., where Jocelyn Samuels, Director of the HHS Office for Civil Rights (OCR), announced the launch of Phase 2 of its HIPAA audits of Covered Entities (CEs) and Business Associates (BAs). The OCR anticipates conducting approximately 200 audits during Phase 2 of the HIPAA Audit Program, which will be executed in three stages. The first stage will involve desk audits of CEs; desk audits of BAs will be conducted during the second stage; and on-site audits of both CEs and BAs will be performed during the third stage.

What is the HIPAA Audit Program?
The Health Information Technology for Economic and Clinical Health (HITECH) Act requires that the OCR conduct periodic audits of CEs and BAs to evaluate their compliance with the HIPAA Privacy, Security and Breach Notification Rules.

Completed in 2012, Phase 1 of the HIPAA Audit Program involved approximately 115 audits of CEs. This first phase of audits found that many of the participants lacked awareness of key Privacy and Security Rule requirements, such as the need to provide patients with Notices of Privacy Practices, the proper protocol for providing individuals and their personal representatives with timely access to the individual’s Protected Health Information (PHI), the need to conduct a risk analysis on a regular basis, and the importance of disposing of media containing PHI in a secure manner.

Who will be subject to Phase 2 of the HIPAA Audit Program and how will participants be selected?
Since announcing the launch of Phase 2 of the HIPAA Audit Program, the OCR has started sending emails to CEs to verify contact information. CEs need to check their spam filters to ensure that any emails from the OCR have not been incorrectly identified as junk email.

Those CEs who are asked by the OCR to verify their contact information may eventually be sent a pre-audit questionnaire that will ask recipients a host of questions about their organization, including where they are located, how many employees they have, what services they provide, and who their BAs are. The questionnaires will be used by the OCR to determine which CEs and BAs will be selected to participate in Phase 2 of the HIPAA Audit Program. The OCR wants to audit a diverse selection of CEs and BAs that will range in size, type and location.

All CEs and BAs are eligible for an audit and could be asked to participate in either one or two stages of Phase 2 of the HIPAA Audit Program. However, CEs or BAs who are involved in an ongoing OCR complaint investigation or compliance review will not be selected as an audit participant during Phase 2 of the HIPAA Audit Program.

What is the timeline for the three stages?
Stage 1 – Desk Audits of CEs

The first stage of Phase 2 of the HIPAA Audit Program will involve desk audits of CEs. The focus of these desk audits will be on the CE’s compliance with specific requirements of the Privacy, Security or Breach Notification Rules. Audit participants should be prepared to share their risk analyses, policies and procedures and their Notice of Privacy Practices with the OCR. It appears that the OCR will also be interested in learning about how the CE process individuals’ requests for PHI copies. The OCR states that these desk audits will be completed by the end of December 2016.

Stage 2 – Desk Audits of BAs

The second stage of Phase 2 will be very similar to the first stage, except desk audits will be conducted on BAs. The OCR states that these desk audits will also be completed by the end of December 2016.

Stage 3 – On-Site Audits of CEs and BAs

The third stage of Phase 2 will involve on-site audits of select CEs and BAs. These on-site audits will be comprehensive and will likely include a three- to five-day on-site visit by the OCR.

What’s next?
Any day now, the OCR will be publishing audit protocols for Phase 2 of the HIPAA Audit Program. These protocols will provide instructions to CEs and BAs on what the OCR will be evaluating during the various stages of Phase 2.

MRO will be sharing helpful tips to our clients in upcoming email and webinar formats. Stay tuned for more details.

This blog post is made available by MRO’s general counsel for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s general counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.