If you recently received an email from the Office for Civil Rights (“OCR”) asking you to confirm your contact information for potential inclusion in the “HIPAA Privacy, Security, and Breach Notification Rules Audit Program,” that is a sign that you may be in the pool of covered entities and business associates who will be audited as part of the Phase 2 HIPAA audits. Some entities have been confused by the recent emails from OCR, and what those emails mean. Well friends, these letters indicate that the time has come.

As we discussed in our previous blog post, the OCR is proceeding with Phase Two audits that will include both covered entities and business associates. Every covered entity and business associate is eligible for an audit, except that OCR will not audit entities with an open complaint or that are currently undergoing an OCR compliance review. OCR will review the policies and procedures implemented by the audited covered entities and business associates to determine compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

What do you need to do if you received this email? First and foremost, make sure you respond to the email within the designated timeframe. Second, make sure you have your HIPAA compliance program up to date! This goes for you too, business associates! At a minimum, this would include:

  1. Designating a privacy officer and a security officer
  2. Conducting a security risk analysis
  3. Developing HIPAA privacy and security policies and procedures
  4. Entering into business associate agreements and subcontractor business associate agreements
  5. Training workforce members
  6. Developing a Notice of Privacy Practices (for health care providers and health plans)
  7. Maintaining documentation relating to HIPAA compliance for a minimum of 6 years

The OCR will select the entities and business associates to be audited from the pool of entities who received the recent emails. OCR then plans to do three rounds of audits. The first round will be desk audits (involving document review only) of covered entities. The second round will be desk audits of business associates. OCR expects an auditee to respond to all requests for documentation during the desk audit phase within 10 business days of the request. Accordingly, if you are the recipient of one of the emails from OCR, now is the time to start identifying where your documents reside, and making sure you have everything you need!

If you have not received an email from the OCR, make sure to keep an eye out for one. And make sure to check your spam accounts as well!