The U.S. Department of Health & Human Services Office for Civil Rights (OCR) released its plans for Phase 2 of the HIPAA Audit Program (Phase 2). Whereas Phase 1 was a pilot program conducted by KPMG and intended to assess the controls and processes of 115 covered entities with respect to HIPAA compliance, in Phase 2 OCR will review the policies and procedures adopted and employed by Covered Entities and their Business Associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.

These audits will primarily be offsite desk audits, although some audits may take place onsite, and be limited to compliance with the Privacy, Security, and Breach Notification Rules. OCR will not be reviewing compliance with state laws. All initial communications from OCR to the Covered Entities and Business Associates will be done by email, so it is imperative that potential auditees ensure that correspondence from the email address OSOCRAudit@hhs.gov is not incorrectly classified as spam. OCR will begin Phase 2 with desk audits of Covered Entities and Business Associates. Desk audits should be completed by the end of December 2016.

Step 1 – Initial Contact and Questionnaire

In the first round of Phase 2, Covered Entities of various types (providers, health plans, and health care clearinghouses) will receive email correspondence from OCR to obtain and verify contact information. Following the collection of contact information, Covered Entities will be asked to complete a questionnaire designed to gather data about the size, type, and operations of the Covered Entity. Covered Entities will also be asked to identify and provide contact information for each of their business associates, so it is recommended that Covered Entities begin preparing this list if such a list is not already in place. Failure to respond to the initial email or the follow-up questionnaire will not remove a Covered Entity from the pool of potential auditees. If a Covered Entity fails to respond or fails to provide adequate information, OCR will use publicly available information about the Covered Entity to create its audit pool.

Business Associates will be the focus of the second round of Phase 2. Business Associates will be contacted by OCR in the same manner and will be asked to provide the same information as Covered Entities. Although not expressly stated by OCR, Business Associates should prepare a list of any subcontractor Business Associates that it uses in its relationship to a Covered Entity. As with Covered Entities, failure to respond to the initial email or the follow-up questionnaire will not remove a Covered Entity from the pool of potential auditees.

Step 2 – Audit Selection

In Phase 2, OCR is identifying pools of Covered Entities and Business Associates that represent entities of varying size, operation, and geographic location. By looking at a broad spectrum of candidates, OCR believes it can better assess HIPAA compliance across the industry. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.

Step 3 – Desk Audit

If a Covered Entity or Business Associate is selected to be audited, OCR will send a notification letter that sets forth the audit team, explains the audit process, and discusses OCR’s expectations in more detail. The letter may also include requests for certain documentation from the audited entity. It is the expectation of OCR that the audited entity responds to the request within 10 days. After OCR’s review, the audited entity will be provided with a draft of OCR’s findings and have 10 days to review and respond with written comments. A final audit report for each entity will be completed within 30 days from receipt of comments and be provided to the audited entity. OCR will not be posting a list of the audited entities or the findings an individual audit, but it is important to note that such information may be subject to release under the Freedom of Information Act.

Step 4 – Onsite Audit

Covered Entities and Business Associates may also be subject to onsite audits during Phase 2. This process will commence with notification being sent to the audited entity and an entrance conference to discuss the audit process and OCR’s expectations. Each onsite audit will be conducted over three to five days. Following the audit, OCR will produce a draft report within 10 days and the audited entity will have 10 days to review and respond with comments. The final report will be completed by OCR within 30 days and delivered to the audited entity. As with the desk audits, OCR will not be posting a list of the audited entities or the findings of an individual audit, but it is important to note that such information may be subject to release under the Freedom of Information Act.

Step 5 – Post Audit

Phase 2 audits are being conducted primarily as a compliance improvement activity, rather than a compliance enforcement activity. It is the OCR’s hope that this audit will help address potential issues prior to a breach. Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful. However, should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate.

To get prepped for a possible audit, we suggest that HIPAA-Covered Entities and Business Associates compare and contrast their current practices to the audit protocols published on OCR’s website. For those individuals and entities that may be unsure whether they are covered by HIPAA, we recommend quickly making such a determination and taking appropriate measures to implement a HIPAA compliance program if needed.