The Phase 2 audit program for HIPAA compliance is under way. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced that it had launched the Phase 2 audits to examine and assess how covered entities and their business associates are adhering to the HIPAA Privacy, Security, and Breach Notification Rules. Covered entities and business associates would be well served to prepare for these audits now. In the meantime, here is what you can expect from Phase 2:
Who Will Be Selected For a Phase 2 Audit?
All covered entities and business associates are eligible for an audit,although only a relatively small sample of entities actually will be audited. Auditees will be selected based on size, the types of entities and relationships with patients, whether an organization is public or private, and geographic factors. And whether fortunate or not, organizations that have an open complaint or are undergoing a compliance review will not be selected for an audit.
How Will OCR Conduct the Phase 2 Audits?
The Phase 2 audits will be conducted in not one, not two, but three rounds:
- Round 1 will be remote desk audits of covered entities. These audits will have a more narrow focus on entities’ compliance with the Privacy, Security, or Breach Notification Rules.
- Round 2 will involve similar remote desk audits on business associates. Both Rounds 1 and 2 are scheduled to finish by the end of 2016.
- Finally, Round 3 audits will target both covered entities and business associates, be performed through onsite audits that will last three to five days, and promise to be more comprehensive in scope than those of Rounds 1 and 2.
Participating in a desk audit during Rounds 1 or 2 does not constitute a pass for future audits; rather, an auditee in Round 1 or 2 also may be selected for an onsite audit in Round 3.
What Is the Likely Scope of the Desk Audits?
OCR reviewed results of the first phase of the audits (conducted in 2011 and 2012). The findings of these audits will shape the focus of the Phase 2 audits. Therefore, the following areas seem likely targets:
- Privacy desk audit: notices of privacy practices and access
- Security desk audit: risk analysis and risk management
- Breach notification desk audit: content and timing.
What are Contact Information Confirmations?
On March 21, 2016, OCR sent a letter via an email to covered entities asking them to verify their contact information. Some of these confirmation letters have been caught in spam filters. Also, covered entities have reported that confirmation letters were sent to multiple people within the same organization. The e-mail asks the recipient to click one of two links depending on whether the person is the primary contact for the organization. Of course, it is important to check that an e-mail that requests the recipient to click on a link is not a phishing attempt. Accordingly, recipients of an apparent contact verification e-mail should double-check that it is, in fact, from OSOCRAudit@hhs.gov and that the links go to hhs.gov addresses before clicking on them.
What is the Pre-Audit Questionnaire?
Next OCR will send a detailed questionnaire about each entity’s size, geographic location, services, and scope of operations. It is unclear whether the survey is unchanged from that which was approved by the Office of Management and Budget last year and available here. Covered entities will also need to identify all of their business associates. OCR then will cull through the data gathered from its questionnaire to develop a diverse pool of eligible audit candidates. OCR’s goal is to have a broad sample of auditees, including each type of covered entity (providers, plans, and clearinghouses), different types of business associates, a range of sizes, and entities located in various regions of the country. Therefore, the audit sample will not be entirely random, but will not be targeted either.
What are the Document Request Letters?
OCR will notify all auditees via email in a “document request letter,” which also will introduce the audit team, explain the audit process, and set expectations. Auditees will also be asked to provide requested documents and data to OCR within 10 business days via its online portal. Importantly, OCR expects all auditees to give its auditors their full cooperation and support.
Will OCR Provide any Guidance?
Information about the audit is on the OCR website. Phase 2’s new audit protocols still are being shaped, but OCR has promised that they will be available for review before the audits begin this year. It is expected that OCR will use its protocols from the first phase of audits as the basis for the phase 2 audit protocols and update them based on the HIPAA Omnibus Rule.
What’s the Goal of the Audits – Compliance or Enforcement?
According to OCR, the Phase 2 audits primarily are meant to help improve HIPAA compliance. OCR will “use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful.” OCR also will use the information from the audits to develop additional tools and guidance to help HIPAA regulated organizations with self-compliance and data breach prevention, as well as what other types of corrective action may be warranted.
Yet entities should be aware that OCR may still initiate a compliance review if an audit reveals “a serious compliance issue,” whatever that may be in OCR’s eyes.
Take-Away Thoughts: How Your Organization Can Best Prepare for HIPAA Audits
It will be some time until OCR is ready to notify the chosen few that they have been selected for a Phase 2 audit. Covered entities and business associates should use this time to their advantage to prepare and make sure they are in the best position possible if they are selected. All organizations are encouraged to take the following steps to prepare themselves for Phase 2:
- Check your email and spam folders for OCR’s emails, and set OCR as an approved sender. OCR will use email for its Phase 2 communications, and has warned that it expects covered entities and business associates to check junk or spam folders for emails from OCR. Entities are likewise encouraged to set OCR as an approved sender, so that their emails are not sent to a junk or spam folder or otherwise blocked.
- Respond. OCR made clear that failing to respond to any of OCR’s information requests – including the contact information email or questionnaire – may not delay or save an organization from an audit; instead OCR will pull publicly available information about the entity. If they do so, this may lead to delays in information reaching the right person, resulting in less time to respond. Further, OCR stated that organizations that do not comply with information requests may face an OCR compliance review.
- Round up all the OCR inquiries. It is possible for an entity to receive more than one information request from OCR under the audit process. Potential auditees should verify that they have identified all of these communications and notified OCR of the correct contact person.
- Have an audit response plan in place. Entities that do not have an audit response plan already in place should begin developing one now so they can efficiently respond to all Phase 2 requests from OCR. As part of this plan, entities may want to consider identifying an audit response team consisting of both internal and external support members, including legal counsel.
- Conduct a Pre-Audit Review. Covered entities and business associates should conduct their own pre-audit reviews in preparation for the Phase 2 audit and correct any gaps in HIPAA compliance. These reviews could be based on the OCR audit protocols as well as other toolkits. Davis Wright has developed toolkits that may be helpful.
- Respond timely to all OCR requests. OCR may decide not to consider information that is provided after its deadlines. So, timeliness is critical. This will be challenging since auditees will have only a short window to provide requested documents and submit feedback on draft audit reports.
- Know your business associates. Entities will be asked to identify their business associates, so now is the time to develop lists including contact information for business associates. Additionally, the HIPAA Omnibus Rule changed the definition of business associate, so entities should re-verify that they have correctly identified their business associates. It also is prudent to verify that updated business associate contracts are in place.
- Be current, but not too current. OCR will request the auditee’s documents that are current as of the date of the data request. OCR, however, may choose to not consider documents that are developed after the data request. So, now is the time to develop or update compliance documents.