Nearly two years after the Office of Civil Rights (“OCR”) first announced its preparation for another round of HIPAA audits, Phase II of OCR’s HIPAA audit program is finally underway.

On March 21, OCR began emailing various types of entities to verify their e-mail addresses and contact information. OCR acknowledged that its email communication may be treated by email filters as spam, but has advised that it expects entities to check their junk or spam email folder for emails from OCR. Recipients have 14 days to verify their email address or provide OCR with updated primary and secondary contact information.

A pre-screening questionnaire will follow seeking details regarding the entity’s size, geographic location, services and scope of operations. Covered entities will also be asked to identify their business associates. Presumably, OCR will use this information to identify and begin emailing business associates to verify their contact information and follow-up with a pre-screening questionnaire.

OCR is looking at a broach spectrum of audit candidates and will be considering size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an entity is public or private and geographic factors. The only entities safe from selection are those with an open complaint investigation or currently undergoing a compliance review. Failure to respond to any contact or information request will not prevent an entity from being selected for audit; but rather, OCR will simply rely on available public information.

Audit Process

OCR audited 115 covered entities in Phase I. For Phase II, OCR expects to conduct more than 200 audits with a balance between covered entities and business associates. Phase II will consist of three rounds with a primary emphasis on desk audits.

  • Round 1: Desk Audits of Covered Entities
  • Round 2: Desk Audits of Business Associates
  • Round 3: On-site Audits of Covered Entities and Business Associates

Desk Audits

Desk audits will focus on compliance with particular provisions of the Privacy, Security and Breach Notification Rules. Requested documents and data must be submitted within 10 business days through OCR’s online portal. Auditors will review submitted documentation and furnish draft findings to the audited entity, which will have 10 business days to review and respond with written comments. OCR will issue a final audit report within 30 business days. Desk audits are expected to be completed by the end of 2016.

On-site Audits

An entity may be selected for on-site audit even if it has undergone a desk audit. On-site audits will be 3-5 days and cover a wider range of compliance requirements under the HIPAA Rules. As in the case of desk audits, the audited entity will still only have 10 business days to review OCR’s draft findings and provide written comments, and a final audit report will be issued by OCR within 30 business days.

OCR does not intend to post a list of audited entities or the findings of individual audits but such information may be subject to disclosure under the Freedom of Information Act.

Next Steps

Spam Folder. If you haven’t done so already, check your spam or junk email folder (and advise your colleagues to do the same) and include OCR (OSOCRAudit@hhs.gov) as an approved sender. To the extent multiple individuals from your organization receive the initial email communication from OCR, coordinate responses so that OCR is notified of the correct primary and secondary contact.

Business Associate Contacts. If you are a covered entity, compile a comprehensive list of business associates and their contact information. It would also be a good idea to also confirm that a business associate agreement is in place with each service provider on the list.

Internal Audit. While OCR is developing its audit pool, take this time to ensure that your HIPAA compliance documents are in order (and remedy any deficiencies). OCR is still drafting its protocols for Phase II, which are expected to be available prior to the start of on-site audits. However, the Phase I protocols remain available on the Department of Health and Human Services website but keep in mind that they do not reflect changes under the 2013 Final Omnibus Rule. Focus your immediate attention on the documentation relevant to the areas targeted for attention under the desk audits.

After Phase I of the audit program revealed widespread noncompliance with various aspects of the HIPAA Rules, OCR indicated that Phase II and future audits would be more focused on enforcement (i.e., imposition of civil monetary penalties or resolution agreements) but recently, OCR Director, Jocelyn Samuels stated the audits are not intended to be a punitive. Instead, OCR views the audits as an opportunity to discover risks and vulnerabilities faced by entities in different sectors and geographic regions of the industry and to get out in front of potential problems before they result in breaches. However, OCR has warned that if a serious compliance issue is uncovered during the audit a compliance review may be initiated.