The Office for Civil Rights ("OCR"), Department of Health and Human Services ("HHS"), emailed notices to 167 covered entities on July 11, 2016 informing them they were selected for a HIPAA Phase II audit. Health care providers, health plans and health care clearinghouses were randomly selected by OCR from the audit pool. If your organization did not receive a notice, this is a very good indication that your organization was not selected for audit. Covered entities should check their email spam folders to be sure they do not contain an email from OCR.
The audits will begin as desk audits. Responses to document requests are due to OCR by July 22, 2016. The desk audits are narrow in scope. For covered entities who were selected for a Privacy Rule audit, the audit will address the right to access and notice of privacy practices. The Security Rule audit will address risk analysis and risk management standards. The Breach Notification Rule audit will address timeliness and content of breach notices. Some desk audits for covered entities will expand to on-site audits in early 2017.
Approximately 33 business associates will be chosen for desk audits later this year. The pool of business associates will come from the business associate agreement logs to be submitted by the 167 covered entities selected for audit. Business associates will be audited on Security Rule risk analysis and risk management standards, as well as Breach Notification Rule compliance.