The HHS Office of Civil Rights (OCR) has announced the opening of its "Phase 2" HIPAA audit program. We have been anticipating this program for some time. It potentially affects all HIPAA covered entities, including employer-sponsored group health plans, as well as business associates of those covered entities, such as third-party administrators for self-insured health plans.

The purpose of the audit program is to "assess compliance" with the HIPAA privacy, security, and breach notification rules. Accordingly, these audits will be directed at a cross-section of HIPAA covered entities and business associates, rather than based on specific complaints or news reports.

Covered entities and business associates that are potential candidates for audit will be contacted by email (check your spam filter!) and asked to complete a pre-audit questionnaire. Not all covered entities and business associates that go through the pre-audit process will be selected for audit. But those who fail to respond to the pre-audit questionnaire will still be included in the potential audit pool, and it seems fair to assume that a failure to respond may increase OCR's interest in conducting a full-scope audit. 

Based on the updated audit protocol that OCR is using to train its auditors, we have a good idea what OCR will be looking for if it conducts an audit. In the case of an employer-sponsored group health plan, the audit is likely to include a review of the following:

  • The plan document (to determine whether the proper HIPAA plan language has been adopted)
  • Policies and procedures for compliance with the privacy, security, and breach notification rules
  • The notice of privacy practices, including information about how and when it has been distributed
  • Business associate agreements (to determine whether they are in place and up to date)
  • Information indicating whether there has been appropriate HIPAA training
  • The security risk assessment conducted in connection with security rule compliance

It is advisable for all HIPAA covered entities (particularly self-insured health plans) to ensure their plan documents, policies, procedures, notices, and other compliance practices are in good shape, just in case OCR comes calling.