The Office of Civil Rights (“OCR”) has begun Phase 2 of its HIPAA Security Audits. Phase 2 targets both covered entities and their business associates, and begins with an email. The email will come from OCR and will require you to verify your address and contact information. You can’t avoid an audit by not responding to the email. And, be sure to check your spam and junk mail filters – OCR is expecting it and will not accept a blocked email as an excuse for no response. OCR will use publicly-available information to track down any non-responders.

The initial emails will be followed up by a pre-audit questionnaire. You will be required to provide information about your size and operations. This sounds pretty simple, but covered entities will also be asked to provide a list of its business associates and their corresponding contact information. Did you implement that contract management system yet? OCR recommends that covered entities start preparing the list now so they are prepared to respond. After collecting this data, OCR will be able to hone in on the compliance efforts of business associates.

OCR will use the pre-audit questionnaire to identify pools of potential auditees, which will then be chosen at random. Most of the phase 2 audits will be desk audits using OCR’s new secure audit portal. All documents must be in digital form and submitted electronically. Covered entities will be audited first and then business associates, but all desk audits will be completed by December 2016. Following the desk audits, OCR may conduct more extensive on-site audits.

The audits are designed to improve compliance and assist OCR in developing guidance and technical assistance. However, OCR may initiate a compliance review to investigate any serious compliance issues found.

The Office of Inspector General (“OIG”) is currently reviewing the adequacy of OCR’s oversight of the security of electronic protected health information. The OIG is specifically looking at OCR’s audit process. OCR is tasked with ensuring that both covered entities and business associates are adequately protecting electronic protected health information. Thus, these Phase 2 audits will focus on your security measures and your compliance with specific requirements of the privacy, security, and breach notification rules.

Be prepared to submit copies of your up-to-date risk analysis and all applicable policies and procedures. The risk analysis is fundamental to your compliance efforts. You must be able to demonstrate that:

  1. You have assessed the potential risks and vulnerabilities to all electronic protected health information.
  2. You have implemented appropriate controls to address those risks and vulnerabilities.
  3. And finally, that you periodically review your analysis and security measures.

It is imperative that your whole organization, including affiliates, is included in the risk analysis. Recent OCR settlements have cited the covered entity’s failure to ensure that the whole organization is in compliance. Don’t forget to include medical devices that contain protected health information and all of those mobile devices too.