The revamped audit protocol for the upcoming HIPAA Phase 2 audits has been released by the US Department of Health and Human Services Office for Civil Rights (OCR). The audit protocol, which is posted on the HHS website, includes new requirements added by the 2013 Omnibus Final Rule for HIPAA covered entities and business associates. The Phase 2 audits will be more focused, and the stakes will be higher: the agency has indicated that audits may, in certain circumstances, lead to full compliance reviews—with the potential for fines or settlement agreements related to alleged HIPAA noncompliance. In addition, business associates will be subject to HIPAA audits for the first time.

The new audit protocol represents the agency’s effort to provide a more comprehensive and detailed guide to OCR’s enforcement and audit approach. The protocol has been expanded to cover more HIPAA provisions than the one used during Phase 1 audits. In addition, the documentation requirements associated with specific HIPAA provisions now frequently include a list of specific criteria that will be considered in evaluating compliance with that provision.

OCR kicked off the Phase 2 audit program last month, and has been contacting covered entities and business associates that are candidates for inclusion in the Phase 2 HIPAA audits in order to obtain and verify contact information. OCR has put covered entities on notice that they should be on the lookout for this communication (e.g., checking junk or spam email folders for emails from OSOCRAudit@hhs.gov). Once contact information is verified, the agency will distribute short questionnaires, seeking additional business information about potential audit candidates (e.g., number of locations, number of hospital beds, list of business associates). Upon compiling that information, the agency will select which entities it will audit. OCR has stated that it will not audit entities with an open OCR HIPAA investigation or that are currently undergoing a compliance review.

The Phase 2 audits will be primarily “desk audits,” in which entities will be required to submit documentation electronically, in accordance with tight deadlines (expected to be ten business days). Additionally, OCR has suggested that there may be a limited number of on-site audits included as part of Phase 2. The agency has not yet determined whether entities subject to such audits will be pulled from the pool of entities subject to desk audits or from the broader pool of potential audit candidates the agency has identified.