As part of its continued effort to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the U.S. Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) announced yesterday that it has begun its next phase of audits of covered entities and their business associates. In the 2016 Phase 2 HIPAA Audit Program, OCR will review covered entities and business associates’ implemented policies and procedures through desk audits however, some  on-site audits will be conducted.

This second phase of audits follows OCR’s 2011-2012 pilot program of 115 entities.  From the data collected and results achieved, OCR developed enhanced protocols to be used in the 2016 Phase 2 HIPAA Audit Program, including a new strategy to test the efficacy of desk audits in evaluating compliance with privacy, security and breach notification rules.  OCR is identifying pools of covered entities and business associates that represent a wide range of health care providers, health plans, health care clearinghouses and business associates.  OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review. 

The first desk audits will be for covered entities, followed by a second round of desk audits of business associates.  All desk audits in this phase will be completed by the end of December 2016.  A third set of audits will be onsite and will cover a broader scope of requirements from the HIPAA Rules than desk audits.  It is anticipated that results from desk audits may trigger a subsequent onsite audit and potential investigations if deficiencies are uncovered. 

The audits are underway to covered entities and begin with an email notification requesting contact information.  Click here to view a sample email.  The emails will originate from OSOCRAudit@hhs.gov and if your entity’s spam filtering and virus protection are automatically enabled, OCR expects you to check your junk or spam folders for their email.  Failure to respond to the notification email may result in OCR using publicly available information to create its audit pool thus a desk or onsite audit notification may not reach the appropriate company representative in a timely fashion.  From the responses to the initial email, OCR will create a pool of targets for desk and onsite audits. 

If your entity is chosen for a desk audit, requested information must be submitted electronically within 10 business days of the request.  OCR will provide draft findings and auditees will have 10 days to review and return written comments.  Similarly, entities chosen for onsite audits will also receive an email notification.  OCR will schedule an entrance conference to provide more information about the process and onsite audits will be conducted over a 3-5 day period, depending upon the size of the entity.  Entities will have 10 business days to review draft findings and provide written comments to the auditor.  OCR will complete and provide a final audit report within 30 business days.

As we have advised in our recent client alerts regarding HIPAA enforcement trends, we believe the 2016 Phase 2 HIPAA Audit Program will have a keen focus on business associates and covered entities’ Business Associate Agreements (“BAAs”).  Business associates have been covered by HIPAA only since 2013, therefore compliance with the HIPAA Privacy, Security and Breach Notification Rules may not be as robust or as fully vetted as required by OCR.  Business associates that conduct third-party billing, data analysis, storage and management and the covered entities who have BAAs with these vendors are particularly vulnerable to being a target of OCR audits. Covered entities and business associates must exercise due diligence in reviewing their HIPAA compliance programs and conducting system wide audits of their PHI safeguards to identify and update areas that may have vulnerability that could put personal health information at risk.