Today the U.S. Department of Health and Human Services, Office for Civil Rights announced that it has begun its long-awaited Phase 2 HIPAA Audits of covered entities and business associates. According to OCR, these Phase 2 audits will be primarily desk audits (with some on-site audits) to assess covered entities’ and their business associates’ adoption and employment of policies and procedures to meet Privacy, Security, and Breach Notification Rule standards.
To begin the 2016 audits, OCR will email covered entities and business associates requesting contact information. A sample email letter is available here. The email will be followed closely by a pre-audit questionnaire to create potential audit subject pools. Entities that do not respond to OCR emails will still be included in the audit subject pool based on publically available information. OCR noted that it expects entities to check junk or spam folders for emails from OCR.
OCR will use Phase 2 audit results to better target technical assistance for problems identified through the audits and develop industry tools and guidance. However, should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate. Though not yet available, entitles can soon check OCR’s website for updated audit protocol, including updates to the protocol based on the Omnibus Rule.