OCR Announces that the Phase 2 HIPAA Audit Program Has Already Started

The HHS Office for Civil Rights (OCR) just announced that its Phase 2 HIPAA audit program has started and that covered entities and business associates are already being contacted. You can find this announcement here. OCR has begun sending emails to verify contact information for various covered entities and business associates and determine which entities should be included in the audit pools. These emails from OCR will be sent from OSOCRAudit@hhs.gov and could be classified as spam or junk. OCR expects covered entities and business associates to check their junk or spam folders for communications from OCR and to respond. The message that OCR is currently disseminating, via email, looks like this.

Covered entities and business associates are being selected for these Phase 2 audits from a wide range of health care providers, health plans, health care clearinghouses and business associates. OCR has said that the criteria for auditee selection “will include size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR. OCR will not audit entities that are undergoing a compliance review or that have an open complaint investigation. Many businesses will receive a questionnaire requesting data about its size, type and operation. Covered entities will be asked to identify their business associates so covered entities would be wise to prepare a list of all of its business associates and their contact information. OCR will then conduct a random sample of the entities in the audit pool and inform auditees of their selection.

OCR will use publically available information to complete the audit pool profile of any covered entity or business associate that fails to respond to requests for information. Any such entity that fails to respond to OCR can still be selected for an audit.

Although OCR plans to conduct desk and onsite audits of covered entities and their business associates, the process will start with desk audits of covered entities. This will be followed by another round of desk audits of business associates. These desk audits will primarily involve requests for records to the covered entities and business associates being audited. Auditees will be asked to submit documents to OCR through the secure portal on its website. Auditors will review the documentation provided to assess the entity’s compliance with the requirements of the Privacy, Security, or Breach Notification Rules, and then OCR will send draft findings to the audited entity. Auditees will be able to respond to these draft findings and to have their responses included in the final audit report. These audit reports describe how the audit was conducted, the findings, and the auditee’s responses to the findings. All Phase 2 desk audits will be finished by December 31, 2016.

The last set of the Phase 2 audits will be on site and will more focused and involve a broader review of the entity’s compliance with the various legal requirements. OCR has announced that all auditees should be prepared for a site visit.

OCR’s audits are intended to enhance awareness of compliance obligations and help OCR develop tools and guidance to assist the industry in addressing common deficiencies identified through the audits. OCR intends to use the Phase 2 audit results and procedures to create a permanent audit program, which is mandated by the HITECH Act.

OCR’s audit program began in 2011 with site visits and assessments of privacy and security controls implemented by 115 covered entities. These site visits were followed by written reports, with findings and recommendations, and the covered entity was given an opportunity to develop corrective actions. The final audit reports submitted to OCR were then reviewed for the purpose of informing the technical assistance that OCR developed for the industry. Common failures that were identified through the pilot audit program included inadequate risk analyses, outdated policies and procedures, and non-existent contingency plans.

If your organization is subject to the HIPAA Rules, you should look for emails from OCR and be mindful of your HIPAA policies and procedures, risk analysis, and other compliance documents.

For further information about HIPAA and data security compliance, please contact Kurt Bratten. 

Kurt Bratten is a Shareholder of the firm. He represents companies in the healthcare industry and other sectors regarding HIPAA and cyber security matters, including how to prevent and respond to security breaches and incidents under various state and federal laws. He has experience investigating and responding to complex and technologically advanced security breaches. Kurt frequently speaks to trade groups and professional associations regarding HIPAA, breach response and data security.