Phase 2 HIPAA Audits Under Way

The Health and Human Services Office of Civil Rights (OCR) has officially begun its Phase 2 Audit Program under HIPAA.  Phase 2 audits could involve desk audits or on-site assessments and will be completed by the end of 2016.  Covered entities should take steps now to prepare for these audits and to mitigate potential risks.

Who will be audited?

All covered entities and business associates are eligible for an audit, but OCR is selecting samples of these entities that represent a wide range of health care providers, health plans, health care clearinghouses, and business associates through a pre-audit questionnaire.  Sampling criteria will include size of the entity, type of the entity, affiliation with other health care organizations, whether an organization is public or private, geographic factors, and present enforcement activity with OCR.  Organizations that have an open complaint or are undergoing a compliance review will not be selected for an audit.  Letters have already gone out to some potential audit targets.

What’s involved in the audit?

OCR plans to conduct primarily remote desk audits, with some on-site audits, for both covered entities and business associates.  The desk audits will examine compliance with specific requirements of the Privacy and Security Rules, as well as breach notification requirements.  In response to a document request letter from OCR, audited entities must provide documents and other data online though a new secure audit portal on OCR’s Website within 10 business days.

The on-site audits, lasting three to five days, will examine a broader scope of requirements from the HIPAA Rules than desk audits.  Entities will be informed by e-mail of their selection, and an auditor will schedule a conference to provide more information about the audit process.

Auditors will review the audited entity’s documentation and share draft findings with the entity.  Entities will have 10 business days to review draft findings and provide written comments.  Auditors will complete a final report within 30 business days and share the report with the audited entity.

What happens after the audit?

After the audit process, OCR will review and analyze the information from the final reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful. Then, OCR will work to develop tools and guidance to assist the HIPAA-regulated industry with self-compliance and evaluation and with preventing breaches.

While Phase 2 audits are not intended to be a punitive mechanism, serious compliance problems may nevertheless prompt OCR to further investigate an entity and possibly initiate a compliance review.

How can a covered entity prepare for an audit?

In order to prepare for these audits and to mitigate potential risks, covered entities should begin taking these steps now:

• Confirm that all required HIPAA Privacy and Security policies are implemented and have been updated to address items introduced in the Omnibus Rule
• Confirm that all business associate agreements are accessible and have been amended to ensure that they are in compliance with the Omnibus Rule
• Confirm that the Notice of Privacy Practices is up-to-date and is provided in a timely manner to all required individuals
• Provide regular training to covered members of the workforce to ensure that they are aware of HIPAA’s Privacy and Security regulations and the obligations imposed by both
• Ensure that plan documents have been amended to incorporate the appropriate HIPAA provisions and that the plan sponsor has provided the required certification to the plan
• Conduct and document an updated Security risk analysis, and if deficiencies exist, correct them and document how risks are mitigated
• Review and update template breach notification statements to ensure that they are in compliance with the Omnibus Rule
• Check your e-mail and spam folders for OCR’s e-mails, and set OCR as an approved sender
• Develop a list of business associates

If you have questions about the Phase 2 Audit Program, visit the OCR Website at http://www.hhs.gov/ocr/ or call ASR Health Benefits at (616) 957-1751 or (800) 968-2449.