OCR Launches Phase 2 of HIPAA Audit Program

Rob Malarkey
| 6/20/2016

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun “Phase 2” of its ongoing efforts to assess compliance with the Health Insurance Portability and Accountability Act Privacy, Security, and Breach Notification Rules (HIPAA Rules). The 2016 Phase 2 HIPAA Audit Program broadens audit coverage and includes changes in the audit approach. It is essential that healthcare organizations be prepared for these audits so that they can respond comprehensively to OCR requests within the 10-day period allotted for organizational responses.

The Health Information Technology for Economic and Clinical Health Act (HITECH) requires OCR to conduct periodic audits of covered entity and business associate compliance with HIPAA Rules. In 2011 and 2012, OCR implemented a pilot audit program for selected covered entities. Based on experiences and results from that program, the more focused Phase 2 audit protocol was developed. Phase 2 will examine compliance not only by covered entities, but also by related business associates. In addition, there will be fewer in-person, on-site audits in Phase 2 than in the pilot program. Most audits will be conducted remotely as “desk audits,” but entities selected for an audit should be prepared for an in-person, on-site audit if OCR deems it appropriate.

The aggregated results are intended to enable OCR to better understand compliance efforts and challenges with particular aspects of the HIPAA Rules. Although the primary focus of the audits will be on compliance improvement, if an audit identifies a serious compliance issue, OCR may further investigate through a broader-scale compliance review.

Every covered entity and business associate is eligible for an audit. OCR has begun the process of verifying contact information of covered entities and business associates. The OCR site states that once contact information is verified, the OCR will send a pre-audit questionnaire to covered entities and business associates to gather “data about the size, type, and operations of potential auditees.” Next, the OCR will select a random sample of entities in the audit pool. Chosen entities will be sent an email notification of their selection and will be asked to provide documents and other data in response to a document request letter. Audited entities will be required to submit all requested documentation digitally using the OCR audit portal, and it must be submitted within 10 business days of the date on the information request.

Covered entities should proactively prepare for the possibility of being selected for a Phase 2 HIPAA compliance audit. At a minimum, organizations should conduct a self-assessment of compliance activities in relation to published HIPAA protocols. Following are other steps that can be taken to improve audit readiness:

  • Confirm that privacy and security policies and procedures reflect current HIPAA requirements, and be ready to provide evidence that such policies are reviewed and updated periodically.
  • Prepare a listing of all related business associates, contact information for the business associates, and the services provided by the business associates. Establish procedures to keep the information up-to-date and be prepared to provide it upon request.
  • Examine covered entity and business associate relationships for HIPAA compliance. Document efforts taken to address any compliance gaps.
  • Assess the ability to provide evidence that policies and procedures are being enforced through sanctions commensurate with policy violations.
  • Verify that documentation providing evidence of compliance with policies and procedures is current, complete, and stored in an organized and accessible manner so that it can be readily provided upon request.
  • Watch for all OCR email communications such as requests for contact and address confirmations, pre-audit questionnaires, and audit notifications. This includes checking spam email filters.

Is your organization prepared for a Phase 2 HIPAA audit?