On March 21, 2016 the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced the start of phase 2 (Phase 2) of the Health Insurance Portability and Accountability Act (HIPAA) Audit Program. Phase 2 will consist of more than 200 desk and onsite audits of both covered entities and business associates to determine their compliance with HIPAA’s Privacy, Security, and Breach Notification rules. By contrast, the Phase 1 pilot audit program conducted in 2011 and 2012 targeted only covered entities and involved just 115 audits.
According to an OCR press release, Phase 2 will include “a broad spectrum of audit candidates” that OCR will randomly select from pools that “represent a wide range of health care providers, health plans, health care clearinghouses and business associates.”
OCR is currently verifying contact information and sending initial emails to potential subjects with a pre-audit questionnaire that will gather data about the “size, type, and operations of potential auditees.” Based on pre-audit questionnaires, OCR will choose the final pool of auditees and send letters shortly. OCR has stated that it is “committed to transparency about the process” and will post on its website updated audit protocols that have been developed based on the Phase 1 HIPAA Audits. Phase 2 Audits will include both desk and on-site audits for covered entities and their business associates.
Covered entities and business associates will have 10 business days to respond to OCR’s audit request. The data requests will specify the content, file names and other documentation requirements, and the auditors may contact the covered entities and business associates for clarifications or additional documentation. In addition, all documents must be in digital form and must be submitted electronically to a secure online portal that OCR has specifically developed for Phase 2. Auditors will then perform a desk audit and provide draft findings. OCR will begin a round of desk audits for covered entities, followed by a round of desk audits for business associates and all desk audits are expected to be completed by the end of December 2016.
Auditors will review the documentation and provide draft findings. Subjects of the audit will then have 10 business days to review the findings and return written comments, if desired. If an on-site audit is required, auditors will schedule a date and provide information about the process. On-site audits will last three to five days depending upon the size of the entity. Like desk audits, auditees will have 10 days to review the findings from the audit and return written comments if any.
While Phase 2 audits aren’t intended “to be a punitive mechanism,” more serious compliance reviews may be triggered if audits uncover serious compliance issues. Based on the results of the further compliance reviews, covered entities and business associates may be liable for penalties.
For the time being, covered entities should respond to OCR’s pre-audit screening questionnaire if they receive one, including providing the names of business associates. The individual identified to OCR as a primary contact should be on the lookout for email from OCR, including by checking their junk or spam email folders. If an entity doesn’t respond to OCR, OCR will use publically available information to create its audit pool, and so the entity may still be selected for an audit or subject to a compliance review despite not responding. To prepare for a possible HIPAA audit, employers sponsoring group health plans should review their compliance with HIPAA’s Privacy, Security and Breach Notification Rules and ensure their policies, procedures and training materials are up-to-date.