A representative of the U.S. Department of Health and Human Services’s Office for Civil Rights (OCR) has recently revealed that OCR has delayed the start of phase 2 of its HIPAA Audit Program – and has revised its plans for phase 2.

Previous Plans for Phase 2

Earlier this year, OCR had announced that phase 2 of the Audit Program would begin this year and would target specific high risk issues.  It had indicated that, beginning this past summer, it would conduct a pre-audit survey of 800 covered entities and 400 business associates, to determine suitability for the OCR HIPAA Audit Program.  (See our blog post on the pre-audit survey at:  http://www.alstonprivacy.com/blog.aspx?entry=5231.)  OCR indicated it would use the survey to select 350 covered entities and 50 business associates to be audited in phase 2.  At the same time, OCR had indicated that it would begin phase 2 audits of covered entities in the fall of 2014, with 2014 audits of covered entities focused on the following:

  • Risk analysis and risk management (Security Rule).
  • Notice of privacy practices and access rights (Privacy Rule).
  • Content and timeliness of breach notification (Breach Notification Rule).

2015 audits of covered entities would have focused on device and media controls and transmission security (Security Rule) as well as  safeguards and training on policies and procedures (Privacy Rule).  Audits of business associates were scheduled to start in 2015, focused on risk analysis and risk management (Security Rule) and breach reporting to the covered entity (Breach Notification Rule).  At the time, OCR had also indicated that the audits would be “desk audits” – i.e., document-only audits, without follow-up.

A New Web Portal – And New Plans for Phase 2

However, OCR has recently announced that phase 2 of the HIPAA Audit Program has been delayed and that, when it starts, there will be more on-site, comprehensive audits and fewer desk audits. 

The OCR senior health information privacy advisor who heads the HIPAA Audit Program announced last week that OCR has delayed the pre-audit survey, as well as phase 2 of the HIPAA Audit Program, until it is able to implement a new web portal through which entities can submit information to OCR.  She would not confirm when the surveys would be issued or when phase 2 would begin – merely advising covered entities and business associates to “stay tuned.”  She confirmed that OCR is planning to use its new portal to conduct the pre-audit survey screening tool as well as to have entities enter data for the audits.  According to OCR, the portal technology will help it streamline the audit process by collecting, collating, and analyzing audit data.  This will save OCR time and allow it to conduct more audits.

In addition to delaying the start of phase 2 of the Audit Program, OCR has changed its plans for the audits.  Instead of conducting 400 desk audits, OCR – with the new web portal and some additional funding – is planning to do a larger number of on-site, comprehensive audits, including business associate audits, and to conduct fewer than 200 targeted desk audits.  OCR is planning to send the pre-screening surveys to covered entities – and then to business associates – “in the near future.”  OCR stated that it will also update its HIPAA audit protocols before this next round of audits begin.

OCR advises covered entities to be ready with a list of their business associates, with contact information and the services provided by the business associate.   Entities will be responsible for showing compliance with the Security Rule (including risk analysis), the Privacy Rule (including access issues), and breach notification under the Breach Notification Rule.  Among other things, OCR will be looking for comprehensive, periodic risk analyses, and documentation of appropriate follow-up risk management activities.  It will also be looking for documentation of the entities’ policies and procedures – and evidence that the policies and procedures have been implemented and are being enforced, such as by the imposition of sanctions (consistent with the entities’ sanctions policies) for violations.

Breach Avoidance and Compliance

In discussing ways to comply with HIPAA and to avoid breaches, the OCR representative mentioned encryption.  She also emphasized the importance of conducting periodic, comprehensive risk analyses.  In considering risk analyses, OCR looks to whether the entity has considered all of the potential areas of risk, the different types of information coming in and going out, as well as the tracking of new technology.  Entities need to consider human errors and vulnerabilities as well as administrative and technical risks and protections.

Covered entities and business associates should prepare now by reviewing and updating, as appropriate, their HIPAA policies and procedures, risk analyses, breach notification procedures, and relationships governed by the business associate provisions of HIPAA’s Privacy Rule.  Alston & Bird can assist with any of those efforts, as well as with responses to OCR audits or investigations.