In an effort to review and examine compliance with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations ("HIPAA"), the Department of Health and Human Services Office for Civil Rights ("OCR") is conducting Phase 2 HIPAA audits for both covered entities and business associates. OCR is conducting the audits to assess new risks, identify effective privacy and security measures, and develop targeted guidance on specific areas of concern.

The first step in the audit phase is a pre-audit screening email sent to potential auditees. We have seen several of these delivered recently. A sample of the pre-audit screening email can be found here. The email contains a questionnaire addressing size, entity type, services, contact information, and other background information. The online questionnaire must be completed and returned to OCR within 30 days. Based on the responses received and the information gathered, OCR will create a smaller, representative sample audit pool. Thus, not all entities that receive the initial pre-audit screening email will be audited. However, failure to respond to the questionnaire will not remove an entity from the audit selection pool. OCR will use publicly available information about an entity if it receives no response within the 30-day timeframe.

Every covered entity and business associate is eligible to receive the pre-audit screening email and to be entered into the audit selection pool. However, at this point, we believe the screening e-mail is being sent to entities who have filed a breach notification report with OCR. Based on the responses to the pre-audit questionnaire contained in the screening e-mail, OCR will choose a representative sample of auditees. Entities will be notified if selected.

Phase 2 audits will target areas of frequent non-compliance with HIPAA, such as risk management, privacy practices, individual access to protected health information ("PHI"), breach notifications, and electronic security. Most audits will not involve site visits, though some may. Once an entity is selected for the audit process, it has only 10 days to respond to OCR's audit request, submit all requested documentation through OCR's online portal, and provide a listing of its business associates. While OCR has not stated the exact information that will be requested, we suspect the information requests will include, among other things, HIPAA policies, procedures, and plans, listing of systems that house electronic PHI, risk assessment(s), breach notification documents, Notice of Privacy Practices and other HIPAA forms, and a business associate listing.

Depending on an entity's size, the 10-day window may leave little time to compile and provide the requested information. Thus, while receiving the pre-audit screening e-mail does not guarantee that an entity will be audited, it is recommended that receiving entities take proactive steps to prepare in the event they are ultimately audited. Recommended steps include the following:

  • Assemble a HIPAA response team and hold an initial meeting so that everyone may be prepared in the event of an audit. Potential team members may include your privacy officer, security officer, compliance officer, IT department supervisor, and administrator.
  • Locate all HIPAA-related materials so that they can be gathered quickly in the event of an audit.
  • Review HIPAA policies and procedures to make sure they are up to date, operating effectively, and do not contain any gaps.
  • Review HIPAA forms to make sure they are up to date and are being properly used.
  • Compile a listing of business associates, which, for larger entities, could take a significant amount of time. There are several pieces of information OCR has indicated it will request with respect to business associates. A template form for gathering this information is available here. While use of the template is not required, it does ensure inclusion of all the business associate information OCR is seeking.
  • In relation, confirm that a business associate agreement is in place for each instance where one is required. We have seen some recent enforcement actions whereby covered entities have been fined for not having a business associate agreement in place when one was required.
  • Compile and review the latest risk assessment(s) to make sure they are still valid and cover all the systems that house, transmit, and store electronic PHI. (We have seen recent enforcement actions whereby covered entities have been fined for not having a risk assessment or a series of risk assessments that cover all relevant systems.)
  • Compile an inventory of systems and system assets that house, transmit, and store electronic PHI.

OCR has indicated that the Phase 2 audits are not designed to determine an entity's compliance with HIPAA. Nonetheless, OCR has retained the right to initiate a compliance review based on information received during an audit. Thus, we believe it is worthwhile to take the steps mentioned above in order to help reduce the risk of a compliance investigation.