On Monday, the Office for Civil Rights (OCR) announced the long-awaited launch of Phase 2 of its HIPAA Audit Program. OCR is required by the Health Information Technology for Economic and Clinical Health (HITECH) Act to establish a permanent compliance audit program for HIPAA covered entities and their business associates. OCR completed the first phase of testing for the audit program in 2012 when it audited 115 covered entities, but it had yet to establish a permanent program until now.

OCR will begin Phase 2 by sending pre-audit questionnaires to both covered entities and business associates to determine potential audit pools. Covered entities and business associates will be included in the pre-audit questionnaires even if they do not provide updated contact information upon request from OCR. In its press release, OCR indicated that the Phase 2 Audits will focus on desk reviews of HIPAA Privacy, Security, and Breach Notification Rules policies and procedures, although some on-site reviews will be conducted. OCR anticipates publishing an updated audit protocol to assist organizations with conducting their own internal self-audits as part of their HIPAA compliance activities. These desk audits are scheduled to be completed by December, 2016.

The announcement of Phase 2 implementation follows an increase of $4 million in OCR’s budget from its 2016 budget, part of which was earmarked for Phase 2 audits. OCR will direct approximately $1.5 million of the requested $4 million budget increase towards the audit program, giving it an estimated $9.2 million budget. In the Fiscal Year 2017 budget justification presented to the House of Representatives Appropriations Committee, OCR Director Jocelyn Samuels noted that the audit program would support OCR’s “compliance and enforcement mission by proactively and systematically measuring industry compliance with HIPAA requirements.” Previously, OCR’s approach to compliance was primarily reactionary, targeting covered entities only in response to complaints. Ms. Samuels indicated that the additional funding for the permanent phase of the audit program will enable OCR to take a “proactive and systemic look at industry compliance successes and struggles” outside the context of a privacy breach incident, and will help “generate analytical tools and methods for entity self-evaluation.”

Look for upcoming posts providing more details on the Phase 2 Audit Program.