The HHS Office for Civil Rights (“OCR”) announced on March 21, 2016 that it has begun its next phase of audits of covered entities and business associates. The 2016 audit process begins with verification of an entity’s address and contact information. Emails are being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner. Hall Render is aware of OCR sending similar confirmation emails of this type last year. OCR encourages covered entities and business associates to check their junk and spam email folders for emails from OCR to avoid missing the communication. Phase 2 audits will primarily be desk audits; however, some on-site audits will be conducted as well. OCR plans to use audit findings to develop compliance tools and guidance to assist the industry and to design the permanent HIPAA audit program. The audit process is detailed below.
Phase 2 of OCR’s HIPAA audit program is currently underway. OCR is verifying contact information for various covered entities and business associates. Click here to see a sample OCR email letter. If an entity does not respond to OCR’s request for information, OCR will use publicly available information about the entity for purposes of audit communications. Non-responsive entities will still be potential audit subjects. Next, OCR will transmit a pre-audit questionnaire to select entities to gather further data about the size, type and operations of potential auditees to ultimately create final audit pools.
Types of Entities Audited
Every covered entity and business associate is eligible for an audit regardless of size and/or type of operations. The audit protocols are designed to apply to a broad range of covered entities and business associates, but their application may vary depending on the size and complexity of the entity being audited.
Entity Selection Process
OCR is identifying pools of covered entities and business associates that represent a wide range of health care providers, health plans, health care clearing houses and business associates. The selection criteria will include size of the entity, affiliation with other health care organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors and current enforcement activity with OCR. OCR will not audit entities with an open complaint investigation or those that are currently undergoing a compliance review.
Audit Program Process
The first set of audits will be desk audits of covered entities followed by a second set of desk audits of business associates. These audits will examine compliance with specific requirements of the Privacy, Security and/or Breach Notification Rules. OCR intends to post an updated Audit Protocol on its website in the near future. The Audit Protocol currently posted has not been updated with changes made by the HITECH Final Rule. Auditees will be notified of their assigned audit topics in a document request letter. All desk audits in this phase are scheduled to be completed by the end of December 2016. The third set of audits will be on-site audits and will examine compliance with a broader range of HIPAA requirements than the desk audits.
Entities selected for an audit will be sent an email notification of their selection and asked to provide documents and other data in response to a document request letter. Audited entities will submit documents online via a new secure audit portal on OCR’s website. Draft findings will be shared with the entity. The entity will have an opportunity to respond to the findings, and their written responses will be included in the final report.
General Audit Timelines
Over the next few months, OCR will notify the selected covered entities via email about their selection for an audit. Covered entities selected for a desk audit will receive a notification letter from OCR that will introduce the audit team, explain the audit process and discuss OCR’s expectations in more detail. Covered entities will have 10 business days to submit the requested information in digital form via OCR’s secure online portal. After a review of the materials, the auditor will provide the covered entity with draft findings. The covered entity will have 10 business days to provide a written response to the draft findings. The auditor will complete a final audit report for each entity within 30 business days after the audited entity’s response. OCR will share a copy of the final report with the audited entity. These audit timelines will be replicated for the business associate desk audits.
For on-site audits, entities will also be contacted via email. Auditors will schedule an initial conference to provide more information about the on-site audit process and expectations for the audit. Depending on entity size, the on-site audits will take 3-5 days. On-site audits will be more comprehensive than desk audits and cover a wider range of HIPAA requirements. Similar to the desk audits, entities will have 10 business days to provide a written response to the draft findings. The auditor will complete a final audit report for each entity within 30 business days after the audited entity’s response. OCR will share a copy of the final report with the audited entity.
OCR intends to use the audits primarily for compliance improvement activities, such as determining what types of technical assistance should be developed by OCR for the industry to increase compliance and reduce the number of breaches. However, should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate. OCR will not post a listing of audited entities or the findings of an individual audit, but auditees should be aware that some audit materials will be subject to FOIA requests.
It is important that covered entities and business associates respond promptly and appropriately if a communication is received from OCR regarding inclusion in the Phase 2 HIPAA Audit Program. In preparation of a potential audit, covered entities and business associates should take the following steps:
- Make certain your Privacy Officer or other primary contact person check their emails, including junk and spam folders, regularly for emails from OCR;
- Review Privacy, Security and Breach Notification policies and procedures to ensure they are compliant with current HIPAA requirements;
- Consider conducting a “mock audit” to identify areas for improvement;
- Develop a plan to address any identified deficiencies; and
- Develop a process to ensure that your entity will be able to quickly gather the requested documents. You will only have 10 days to respond.