The Department of Health and Human Services Office of Civil Rights (OCR) has commenced the long-anticipated HIPAA phase 2 audits, and with it may come an uptick in HIPAA enforcement efforts. All providers and business associates, both large and small, are eligible to be chosen for a desk and/or onsite audit. OCR’s audits will focus on a thorough review of the policies and procedures each entity has adopted and implemented to meet the Privacy, Security and Breach Notification rules. If serious compliance issues are uncovered during the audit, OCR may initiate a compliance review for further investigation, which carries the possibility of financial penalties. OCR plans to post updated audit protocols on its website before it begins to conduct the desk audits.
To kick-off the process, OCR has e-mailed letters to entities to verify address and contact information and to answer a pre-audit screening questionnaire. Privacy officers should make sure to check their spam folders, as not responding to this initial letter will not exempt you from OCR’s audit. A sample letter can be found here and more information regarding the Phase 2 Audits can be found on OCR’s website.