On March 21, 2016, the Department of Health and Human Services' Office for Civil Rights (OCR) announced that Phase 2 of its audit program has commenced. The audits could involve onsite assessments or desk audits, and will be completed by the end of December 2016. Letters have already gone out to some potential audit targets. These letters, which are automated email communications, request confirmation of the entity's identity and contact information. See this sample letter from the Department of Health and Human Services. Any covered entity or business associate is eligible to be audited. If the entity does not respond to the initial information request, it may still be selected for audit.
The question and answer guidance indicates that auditors will not be looking at state-specific privacy and security rules. This is interesting because HIPAA provides that more stringent state laws will preempt HIPAA. In order to comply with HIPAA, covered entities and business associates must comply with state laws that provide more protection for patient information. The guidance also indicates that OCR will not audit entities with an open complaint investigations or compliance reviews.
Covered entities and business associates should take steps to prepare in case they are audited. The pre-audit screening questionnaire (which could get caught in spam filters) will require covered entities to identify their business associates. OCR is encouraging covered entities to get this list ready so they are able to respond to the request. Covered entities and business associates may also benefit from reviewing OCR's old audit protocol to ensure that they have documentation to demonstrate compliance with each of HIPAA's requirements. The old audit protocol was not updated to reflect the HITECH Act Omnibus Rule.