The Phase 2 audit program for HIPAA compliance now is underway — and financial institutions are on the list as potential targets. Many financial institutions are business associates under HIPAA, usually because of their “value-added” services to clients that are health care providers and health plans.

Other financial institutions are clearinghouses, making them covered entities under HIPAA. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced that it had launched the Phase 2 audits to examine and assess how covered entities and business associates are adhering to the HIPAA Privacy, Security, and Breach Notification Rules. Financial organizations that are covered entities and/or business associates under HIPAA would be well served to prepare for these audits now. In the meantime, here is what you can expect from Phase 2:

Who Will Be Selected For a Phase 2 Audit?

All covered entities and business associates are eligible for an audit although only a relatively small sample of entities actually will be audited. Auditees will be selected based on size, the types of entities and relationships with patients, whether an organization is public or private, and geographic factors. Organizations that have an open complaint or are undergoing a compliance review will not be selected for an audit—not a recommended course of action.

How Will OCR Conduct the Phase 2 Audits?

The phase 2 audits will be conducted in not one, not two, but three rounds:

  • Round 1 will be desk audits of covered entities which will be conducted remotely and will focus on a more limited range of topics.
  • Round 2 will involve remote desk audits of business associates. Rounds 1 and 2 are expected to be completed by the end of the year.
  • Finally, Round 3 audits will target both covered entities and business associates, include onsite audits, and promise to be more comprehensive in scope than those of Rounds 1 and 2. Participating in a desk audit during Rounds 1 or 2 does not constitute a pass for future audits. An auditee in Round 1 or 2 also may be selected for an onsite audit in Round 3.

What Is the Likely Scope of the Desk Audits?

Based on past audits and enforcement experience, the following areas seem likely targets:

  • Privacy desk audit: notices of privacy practices and access
  • Security desk audit: risk analysis and risk management
  • Breach notification desk audit: content and timing.

What are Contact Information Confirmations?

On March 21, 2016, OCR sent a letter via an email to covered entities asking them to verify their contact information. It is expected that OCR will take a similar approach for Round 2, focusing on business associates.

Some confirmation letters to covered entities have been caught in spam filters. Also, covered entities have reported that confirmation letters were sent to multiple people within the same organization. The e-mail asks the recipient to click one of two links depending on whether or not the person is the primary contact for the organization. Of course, it is important to check that an e-mail that requests the recipient to click on a link is not a phishing attempt. Accordingly, recipients of an apparent contact verification e-mail should double-check that it is, in fact, from OSOCRAudit@hhs.gov and that the links go to hhs.gov addresses before clicking on them.

What is the Pre-Audit Questionnaire?

Next OCR will send a detailed questionnaire about each entity’s size, geographic location, services, and scope of operations. It is unclear whether the survey is unchanged from that which was approved by the Office of Management and Budget last year and available here. Covered entities will also be asked to identify all of their business associates. This is the way OCR intends to expand its pool of business associates as potential auditees. OCR then will cull through the data gathered from its questionnaire to develop a diverse pool of eligible audit candidates. OCR’s goal is to have a broad sample of auditees including each type of covered entity (providers, plans, and clearinghouses), different types of business associates, a range of sizes, and entities located in various regions of the country. Therefore, the audit sample will not be entirely random, but will not be targeted either.

What are the Document Request Letters?

OCR will notify all auditees via email in a “document request letter,” which also will introduce the audit team, explain the audit process, and set expectations. Auditees will be asked to provide requested documents and data to OCR within 10 business days via its online portal. OCR will provide an audited entity with a draft report of OCR’s findings. The auditee may submit its response to the draft report through OCR’s portal within 10 business days. These comments will be included in the final audit report.

Will OCR Provide any Guidance?

Information about the audit is on the OCR website. Phase 2’s new audit protocols still are being shaped, but OCR has promised that they will be available for review before the audits begin this year. It is expected that OCR will use its protocols from the first phase of audits as the basis for the phase 2 audit protocols and update them based on the HIPAA Omnibus Rule.

What’s the Goal of the Audits – Compliance or Enforcement?

According to OCR, the phase 2 audits primarily are meant to help improve HIPAA compliance. OCR will “use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful.” OCR also will use the information from the audits to develop additional tools and guidance to help HIPAA regulated organizations with self-compliance and data breach prevention, as well as what other types of corrective action may be warranted.

Yet financial institutions should be aware that OCR may initiate a compliance review if an audit reveals “a serious compliance issue,” whatever that may be in OCR’s eyes.

Take-Away Thoughts: How Your Organization Can Best Prepare for HIPAA Audits

Financial institutions should use this time to their advantage to prepare for the audits and consider taking the following steps:

  • Prepare for emails. OCR will use email for its Phase 2 communications, and has warned that it expects covered entities and business associates to check junk or spam folders for emails from OCR. Entities are likewise encouraged to set OCR as an approved sender, so that their emails are not sent to a junk or spam folder or otherwise blocked.
  • OCR made clear that failing to respond to any of OCR’s information requests – including the contact information email or questionnaire – may not save an organization from an audit; instead OCR will pull publicly available information about the entity. Further, OCR stated that organizations that do not comply with information requests may face an OCR compliance review.
  • Round up all the OCR inquiries. It is possible for an entity to receive more than one information request from OCR under the audit process. Potential auditees should verify that they have identified all of these communications and notified OCR of the correct contact person.
  • Have an audit response plan in place. Entities that do not have an audit response plan already in place should begin developing one now so they can efficiently respond to all phase 2 requests from OCR. As part of this plan, entities may want to consider identifying an audit response team consisting of both internal and external support members, including legal counsel.
  • Conduct a pre-audit review. Covered entities and business associates should conduct their own pre-audit reviews in preparation for the phase 2 audits and correct any gaps in HIPAA compliance. These reviews could be based on the OCR audit protocols as well as other toolkits. Davis Wright has developed toolkits that may be helpful, including one specifically for financial institutions.
  • Meet the audit deadlines. OCR may decide not to consider information that is provided after its deadlines. So, timeliness is critical. This will be challenging since auditees will have only a short window to provide requested documents and submit feedback to its draft audit reports.
  • Be current, but not too current. OCR will request the auditee’s documents that are current as of the date of the data request. OCR, however, may look askance at documents that are developed after the data request. So, now is the time to develop or update compliance documents.