On March 21, 2016, the Office for Civil Rights (OCR) announced that it has begun the next phase of HIPAA compliance audits. The Phase 2 audits are being rolled out in three steps:
Step 1. Entity verification by email – The OCR will email covered entities and business associates to verify their addresses and contact information. The OCR cautioned that these emails may be incorrectly categorized as spam and expects covered entities and business associates to check their junk mail or spam folders for emails from the OCR. Entities that fail to respond may still be selected for an audit or compliance review as the OCR will use publically available information about the entity to create its audit subject pool.
Step 2. Pre-audit questionnaires – Potential audit candidates will receive a pre-audit questionnaire. These questionnaires will gather data about an audit candidate’s size, type, and business operations. The OCR will use the data to create potential audit subject pools. The pre-audit questionnaires will also ask covered entities to identify their business associates. The OCR is encouraging covered entities to prepare a list of business associates with contact information in order to respond to the OCR’s request.
Step 3. The audits – The OCR will conduct desk audits and on-site audits of selected covered entities and business associates. A desk audit is what it sounds like. An OCR auditor will review information submitted by the entity from his or her desk, as opposed to conducting an on-site visit at the entity’s premises. The first set of audits will be desk audits of covered entities, followed by a second set of desk audits of business associates. The OCR will also conduct a third, more comprehensive set of on-site audits. Some auditees may be subject to both a desk audit and a subsequent on-site audit. All desk audits are expected to be completed by the end of December 2016.
More about the audit process will be available on the OCR’s website as the program develops, including updated audit protocols.
In the meantime, the OCR has shared the following additional information about the process:
- Entities selected for audit will be notified by email and will receive a request for documents and data.
- Audits will cover HIPAA’s Privacy, Security, and Breach Notification Rules.
- All information must be submitted via a secure portal on the OCR website.
- Auditees will have 10 business days to submit requested information to the portal.
- Auditees will receive draft findings and will have 10 business days to respond. The auditor will then have 30 days to issue the final report.
- On-site audits will be more comprehensive than desk audits and will be conducted over three to five days on-site, depending on the size of the entity.
- Audit findings will be primarily used for compliance improvement activities. However, if an audit report warrants, the OCR may initiate a compliance review to further investigate serious compliance issues.
Finally, a word about selection. Every covered entity and business associate is eligible for an audit. The OCR will identify audit candidate pools representing a wide range of health care providers, health plans, health care clearinghouses, and business associates. Selection factors will include size, affiliations with other healthcare organizations, the type of entity and its relationship to individuals, whether the entity is public or private, geographic factors, and present enforcement activity with the OCR. Entities with an open complaint investigation or that are currently undergoing a compliance review will not be audited.
Please contact us if you have questions about preparing for a HIPAA audit or need assistance with an audit response. For more information about the audit process, please see the OCR’s press release available on the OCR website at www.hhs.gov.