The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that the agency expects to begin Phase 2 Audits in early 2016. OCR intends to conduct desk audits and on-site audits of covered entities (CEs) and business associates (BAs), and has contracted with FCi Federal, Inc., to conduct the data security audits. OCR will begin sending pre-audit surveys to CEs and will obtain BA information from the survey responses. OCR intends to select 350 CEs and 50 BAs over the next three years to conduct audits. Of the 350 CEs selected, there will be approximately 232 healthcare providers, 109 health plans, and nine healthcare clearinghouses. The BAs selected will include 35 IT-related vendors and 15 non-IT-related vendors. OCR intends to audit 150 CEs and 50 BAs for compliance with the security standards, 100 CEs for compliance with the privacy standards, and 100 CEs for compliance with the breach notification standards.

CEs and BAs that receive notification from OCR of a pending audit will have two weeks to respond to a data request. OCR has been developing a web portal for CEs and BAs to submit their data. OCR intends to email the audit notice and data request to the CEs and BAs, so it is important the entity privacy official alert the C-suite of the email request so the entity can make a timely submission. OCR will accept only documentation submitted on time; therefore, it is important to have documentation collected and available in anticipation of a request. OCR expects entities to cooperate with the audit process, and any failure to respond to OCR’s requests may result in OCR conducting a full compliance review of the entity.

OCR will focus its audit on identified violations from the Phase 1 Audits, including security risk analysis and management, breach notification, notice of privacy practices, and individual access to protected health information (PHI). OCR will also review security device and media controls, data transmission, encryption and decryption, physical controls, and workforce training and education. If OCR identifies systemic compliance issues during its audit, OCR may expand the audit to include an on-site visit and enforcement action.

Preparing for Phase 2 Audits

CEs and BAs still have time to prepare for the Phase 2 Audits. OCR highlighted the compliance issues from its Phase 1 Audits and will evaluate CEs and BAs in these areas as part of OCR’s overall audit process. OCR has posted its current audit protocol and has indicated it will post a revised audit protocol prior to the start of the audits. CEs and BAs should obtain a copy of the audit protocol and use it as part of their internal audits. The current audit protocol is available a at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html.

The checklist highlights concerned areas for compliance, and CEs and BAs should take time to eavaluate these aspects of their privacy and security plans.

HIPAA Audit Checklist

Policies and Procedures. Review and revise the privacy, security, and breach notification policies to ensure that they are current and compliant with the HIPAA Omnibus Rule.

Individual Right to Access PHI: Review processes and documentation of requests to ensure timely responses to the individual.

Notice of Privacy Practices: Review the Notice of Privacy Practices to ensure that it meets current requirements for content and posting, including website posting, and distribution.

Workforce Training and Education: Review training materials to ensure that they are current and have documentation evidencing training and education on the privacy and security standards.

Privacy Safeguards: Review safeguards for PHI, including use of paper shredders, copy machines that store data, physically securing PHI in locked cabinets, use of whiteboards, incidental disclosures. Review the uses and disclosures of PHI to ensure the minimum necessary amount of PHI is used and/ or disclosed.

Security Risk Assessment, Analysis, and Management Plan: Compile documentation evidencing that the risk assessment, the risk analysis, and the risk management plans were conducted and implemented. The risk management plan should include a timeline for implementation of specific security controls for identified risks and vulnerabilities. The CE or BA should conduct a security risk assessment and analysis if it has been some time since one was completed. Review documentation of specific controls in place to comply with addressable security standards, including the rationale for alternative security measures in place.

Transmission Security: Review security measures in place to protect ePHI when it is in transit.

Encryption and Decryption: The CE or BA should inventory its devices that contain and transmit ePHI and ensure that the devices are encrypted. If the CE or BA has not encrypted all its devices, it should have a risk management plan detailing the compensating controls currently in place to mitigate risk of compromise.

Device and Media Controls: Review policies and procedures for the use, reuse, disposal, storage, and backup of devices and systems containing ePHI.

Facility Security Plan: The CE and BA are required to have a facility security plan in place wherever PHI is located. The CE and BA should maintain a current inventory of where PHI is located, and a process should be in place when purchasing new IT equipment or when acquiring a new business and its existing IT equipment.

Breach Notification: Ensure that the breach notification policy complies with the requirements of the breach notification standard, including the notification of individuals in a timely manner. Maintain documentation of prior breach notifications to demonstrate notice was provided to individuals in the form of notification letters and substitute notices. Review incident response procedures and documentation for security incidents, including the response, mitigation, investigation, and determination of a breach requiring notification.

Business Associates: OCR will request a list of BAs from the CE responding to an audit. Compile the list of BAs and the associated business associate agreement to respond to an OCR request.