The HHS Office for Civil Rights (“OCR”) officially launched the long-awaited (and dreaded) Phase 2 of the HIPAA Audits Program on March 21st. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails (check your spam filter!) from OCR that will begin the audit process.
Why Audits? Why Now?
The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) requires OCR to periodically audit both Covered Entities and Business Associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR conducted Phase 1 audits in 2011 and 2012. The Phase 1 audits only examined Covered Entities and the results were generally disappointing. Only 11% of the entities audited had no findings or observations and many findings related to Security Rule compliance. After many delays, OCR is now proceeding with Phase 2.
What’s Happening This Time Around?
OCR will conduct both desk audit and on-site audits of Covered Entities and Business Associates. The first round of desk audits will be for Covered Entities with a second round for Business Associates. Desk audits are supposed to be completed by December 2016. Entities selected for audits will be notified via email and will have 10 business days to submit requested information to OCR through an online portal. Auditors will share draft audit reports with audited entities, allowing them 10 business days to review the draft report. A final report will be shared with the entity.
For those entities subject to on-site audits, auditors will spend between three and five days on-site with the organization. OCR describes the on-site audits as “more comprehensive” and “covering a wider range of requirements from the HIPAA Rules.” Since OCR recently released guidance on patient rights to access their health information and on the fees that providers may charge for such access (previously covered by our blog here), access issues appear ripe for a broader audit.
Finally, audits that uncover serious issues may trigger an OCR compliance review in addition to the audit.
What To Do Today
Hopefully your organization has been following the regular updates from OCR and this blog (see here, and here) on the HIPAA audit process. But in case you need a refresher, some key to-do items are listed below:
• Ensure that OCR’s emails are not being routed to your spam or junk email folder. OCR has stated that it will be sending audit related emails from OSOCRAudit@hhs.gov and that it expects Covered Entities and Business Associates to check spam and junk mail folders for correspondence from the agency. Failure to respond to OCR’s emails won’t get an entity off the hook for an audit; the agency plans to use publicly available information about entities that do not respond and include them in the audit pool.
• Prepare a list of your business associates. In the pre-audit screening process, OCR will ask for a list of business associates. The agency encourages Covered Entities to prepare a list in advance for responding to this request.
• Review the Phase 1 Audit Protocol. OCR has not yet posted updated audit protocols for Phase 2, but the Phase 1 audit protocol remains available on the OCR website. Even if your organization is not selected for an audit, working through the protocol is a great way to evaluate your compliance.
• Ensure you have an audit response team ready. As noted above, Covered Entities and Business Associates will have only 10 business days to respond to OCR’s request for documentation. They will also have only 10 business days to review the auditor’s draft findings. Assemble your audit team (and your documents) in advance.
• Review the audit information on OCR’s website. Further information about Phase 2 is available here.