In March, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) announced that Phase 2 of its audit program has begun in order to assess compliance with the Privacy, Security, and Breach Notification rules under the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). Unlike the prior round of audits which focused only on HIPAA covered entities (certain health care providers, health plans, and health care clearinghouses), Phase 2 of the audit program will focus on both covered entities and business associates.
Recall that business associates are directly responsible for complying with many of HIPAA’s requirements after HIPAA was amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act and the final HITECH Act regulations were issued in 2013.
Phase 2 of the audit program will initially consist of mostly desk audits, where covered entities and business associates will submit requested documents through an online portal. The first round of desk audits will focus on covered entities. OCR will be asking audited covered entities for lists of their business associates, and these business associates will enter the pool of potential audit candidates for the second round of desk audits which will focus on business associates. After the initial rounds of desk audits, OCR will conduct more comprehensive onsite audits examining a broader scope of HIPAA’s requirements. It is possible that a desk audit may be followed up with an onsite audit.
Covered entities and business associates will want to make sure they have their HIPAA policies and procedures in order and updated, all required security risk assessments completed, and HIPAA workforce training scheduled if not done recently. In addition, now is a good time for covered entities and business associates to make a list of their business associates and ensure that updated business associate agreements are in place.
The potential consequences for failing to comply with the Privacy, Security, and Breach Notification rules under HIPAA can be severe. Recent settlements with HHS for potential HIPAA violations include a $3.9 million settlement with Feinstein Institute for Medical Research on March 17, and a $1.55 million settlement with North Memorial Health Care of Minnesota on March 16.