Yesterday, the federal Office for Civil Rights (OCR) announced Phase 2 of its HIPAA Audit Program (Program). In its announcement, the OCR reports that the Program is underway and provides some helpful FAQs for covered entities and business associates about the Program. Preparation is critical and there are some key points covered entities and business associates should focus on.

Every covered entity and business associate is eligible for an audit. So, don’t think that because you are a small health care provider or sponsor a group health plan for employees you will be out of the Program’s reach. Auditee selection will be based on a number of criteria including include size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR. The OCR appears to be looking to examine a healthy cross-section of covered entities and business associates. On the bright side, OCR stated it will not commence an audit under the Program where there is an open complaint investigation or a current compliance review.

Potential auditees will be screened. OCR may send a questionnaire to covered entities asking them to identity their business associates and provide their contact information. OCR warns that if it does not receive responses to these requests it will use publically available information to create its audit pool, and nonresponsive entities still may be selected for an audit or subject to a compliance review. In fact, OCR informs covered entities and business associates that it expects them to check their junk or spam email folders for OCR communications about the Program.

…we expect you to check your junk or spam email folder for emails from OCR

The Program will include Desk Audits, followed by On-site Audits. The first stage of the Program will involve desk audits for covered entities, followed by desk audits for business associates, all of which will be completed by year end. After that, audits will be onsite and will examine a broader scope of requirements from the HIPAA Rules than desk audits. Some desk auditees may be subject to a subsequent onsite audit. The audits will examine compliance with specific requirements of the HIPAA Privacy, Security, or Breach Notification Rules. So, for example, OCR might want to look at your documented risk assessment, or your breach notification response plan. Auditees will be notified of the subject(s) of their audit in a document request letter, but OCR confirmed the audits will not cover compliance with state privacy laws.

Consider the audit process and timeline. Covered entities and business associates selected for a desk audit should expect to receive an email informing them of the selection and requesting documents and other data. Auditees will be able to submit documents on-line via a secure audit portal on OCR’s website. OCR expects that the documents and data will be provided within 10 business days of the request.

After submitting the documents and data, auditees will receive draft findings from OCR. Auditees will then have 10 business days to review and return written comments to the auditor. Auditees should expect to receive a final audit report within 30 business days.

Onsite audits will follow a similar process. The auditors will schedule an entrance conference to discuss the audit, which can be expected to take place over three to five days onsite, depending on the size of the entity. These will be more comprehensive and cover a wider range of requirements from the HIPAA Rules. Like the desk audit, entities will have 10 business days to review the draft findings and provide written comments, and they will be provided a final audit report.

Don’t want to respond? Entities that do not respond to OCR communications still may be selected for audit or be subject to a compliance review. As noted, the agency will use public means to find you.

We’ve been audited, now what? OCR states that the Program is primarily a “compliance improvement” activity, through which it can better understand compliance efforts, and determine what types of technical assistance should be developed and what types of corrective action would be most helpful. Of course, if OCR finds a serious compliance issue, it may initiate further investigation.

There may be publicity surrounding audits. OCR states that it will not post a list of audited entities or the findings of an individual audit identifying the audited entity. However, OCR reports that it will comply with Freedom of Information Act (FOIA) requests which could make the results of your audit public.

For now, covered entities and business associates should be on the look-out for communications from OCR and be prepared to respond. It goes without saying that they also should use this as an opportunity to assess their compliance and take steps now to address any gaps.