As previously discussed on this blog (see here and here), the Office for Civil Rights (OCR) recently began its second round of audits of covered entities and business associates for compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule (the “Phase 2” audits). Notably absent from the launch of Phase 2 was the release of the updated audit protocol that would be used in conducting the Phase 2 audits. But OCR quietly addressed this gap with the release of the revised audit protocol in April 2016. Covered entities and business associates who have not yet reviewed the new protocol are strongly advised to do so and to incorporate the Phase 2 audit protocol into their preparations for a potential audit.
OCR Makes Additional Tools Available
OCR also has provided some additional information regarding the scope of the Phase 2 audits. A copy of the audit pre-screening questionnaire has been posted to the OCR website, and covered entities and business associates should make sure that they can provide the listed information. OCR also has published a sample template for identifying business associates, as well as for listing contact information for each business associate. While OCR will use information provided by covered entities about their business associates using this form to help it select business associates for auditing, both covered entities and business associates can use this template as a tool to help track their business associate agreements.
In addition, OCR’s Deven McGraw, Deputy Director of Health Information Privacy at OCR, reportedly stated in an interview that OCR plans to conduct 200 remote desk audits and 10 to 25 audits involving onsite visits. These numbers are consistent with earlier reports. The important new information, however, was Ms. McGraw’s statement that the remote desk audits will focus on compliance with only a small subset of HIPAA requirements and that only the audits involving onsite visits will be “full scale” audits. While this information is welcome news to covered entities and business associates, they still will need to prepare as if they may be the subject of a full scale audit, as they will not know ahead of time the specific requirements about which they will need to respond.
Audit Notification Letters Expected in May, June, and July
Covered entities reportedly are expected to begin receiving audit notification letters in May, and therefore it is possible that some covered entities already may have received notification letters. Business associates are expected to receive notification letters beginning in June or July. Given this timeframe, covered entities and business associates should plan to complete their audit preparations as soon as possible.