Guest blog: HIPAA Compliance Audits, Round 2 - Are You Ready to Rumble?
Blog Internet, Information Technology & e-Discovery Blog

My Guest Blogger Eric Levy is a senior attorney in Gardere’s Trial Practice Group who specializes in complex litigation with a focus on technology and Internet eCommerce related issues.

Over the next few months, the Office for Civil Rights (OCR) will begin the second phase of its HIPAA audit program, as part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules. This new phase focuses on reviewing the policies and procedures adopted and employed by covered entities and, for the first time, their Business Associates, to meet selected standards and implementation specifications for the Privacy, Security, and Breach Notification Rules.

The audit program actually commenced in April 2016, when OCR sent out between 500 and 1000 Audit Pre-Screening Questionnaires to designated company contacts. So on the plus side, if your organization did not receive one of these questionnaires, it is a pretty safe bet that you will not be audited by OCR this year (but check your SPAM e-mail filter – OCR has made it clear that “not getting your e-mail” will not excuse compliance, either with the requirement to fill out the questionnaire or the need to cooperate with any subsequent audit). If you did receive and complete a questionnaire, you could be getting a notice to produce documents soon!

The full audit protocol covers literally hundreds of standards and specifications, but generally speaking, OCR has confirmed the following areas of focus:

• For covered entities being audited on privacy, OCR will look mostly at individual’s rights of access and notice of privacy practices;
• For covered entities being audited on security, OCR will look mostly at risk analysis and management;
• For covered entities being audited on breach notification, OCR will look at the timing and content of breach notification, and possibly any internal assessments that an actual impermissible use or disclosure of PHI was not a breach; and
• For business associates, OCR will look at risk analysis and management and the timeliness and content of breach notifications to covered entities.

As for timing, once you receive a notice from OCR that you have been selected for a desk audit, you will have ten business days to produce whatever documents the agency has requested. While agencies, under normal circumstances, might be willing to grant an extension if you needed some more time, I would not bank on that here. Given the number of data breaches that have occurred in the healthcare industry (a recently released report indicates that roughly 90% of healthcare organizations have experienced at least one data breach in the past two years), OCR wants to evaluate compliance and it wants to do it quickly.

So don’t wait for the audit notice. Have all of your privacy compliance documents ready to go. If the request ends up being narrower than expected, it will be easier to cull out what you do not need.