The long-awaited HIPAA Phase 2 audits are here. On March 21, 2016, the Office for Civil Rights (OCR) released an announcement regarding launch of the Phase 2 audits.
The Phase 2 audits have been expected for some time, and much of the information about the audits is well known. Representatives of OCR have also commented recently that the Phase 2 audits were underway. And the new OCR announcement makes it official.
At this point, OCR is sending emails to obtain and verify contact information to identify covered entities and business associates of various types and to determine which are appropriate to be included in potential auditee pools. Note that the emails from OCR could be incorrectly classified as spam. You should consider setting your email filters to allow emails from OSOCRAudit@hhs.gov. OCR warns: “…we expect entities to check their junk or spam email folder for emails from OCR.”
Additional useful information about the Phase 2 audits is available here. Items of note regarding Phase 2 audits include:
- There will be three sets of audits in Phase 2: first to occur will be a set of desk audits of covered entities, second will be a set of desk audits of business associates, and third will be a round of onsite audits of either covered entities or business associate. All desk audits will be completed by the end of December 2016.
- Every covered entity and business associate is eligible for an audit.
- Once contact information is obtained, OCR will send a questionnaire to gather data about the size, type and operations of potential auditees. As a part of the pre-audit screening questionnaire, OCR is asking that covered entities identify their business associates. OCR states that: “We encourage covered entities to prepare a list of each business associate with contact information so that they are able to respond to this request.”
- Once the audit pool is established, OCR will conduct a random sample of entities in the audit pool. Selected auditees will then be notified of their participation.
- Documentation will be requested of audited entities who will submit the documents online via a new secure audit portal on OCR’s website within ten business days of the request.
- After these documents are received, the auditor will review the information submitted and provide the auditee with draft findings. Auditees will have ten business days to review and return written comments, if any, to the auditor. The auditor will complete a final audit report for each entity within 30 business days after the auditee’s response. OCR will share a copy of the final report with the audited entity.
- OCR notes that the audits are primarily a compliance improvement activity. OCR will review and analyze information from the final reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful. However, the announcement explains that should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate.
Covered entities and business associates should ensure their HIPAA compliance program documents are updated and readily available to respond to an audit request. Specifically, covered entities need to have an accurate and updated list of business associates available.