OCR begins Phase 2 audit program of covered entities and business associates

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced that it has begun Phase 2 of its HIPAA audit program. This audit phase will impact covered entities and their business associates.

The purpose of the Phase 2 audit program is to allow OCR to review the policies and procedures of covered entities and business associates to meet selected standards and implementation specifications of the HIPAA privacy, security, and breach notification rules (HIPAA Rules). OCR has indicated that it will utilize the Phase 2 audit findings to identify technical assistance it should develop for covered entities and business associates. To the extent an audit reveals a serious compliance issue, OCR may conduct a compliance review that could lead to civil monetary penalties.

The Audit Process

OCR is randomly contacting covered entities and business associates that represent a wide range of healthcare providers, health plans, healthcare clearinghouses and business associates to obtain information. Once OCR obtains contact information for covered entities, it will require completion of a questionnaire that asks about the covered entity’s operations and arrangements with business associates. Communications from OCR will be sent via email.

Auditees will be chosen through random sampling of the audit pool for participation in either a desk or an onsite audit. In terms of timing, covered entities who are selected for a desk audit must submit requested information within 10 business days of the information request. All documents are to be submitted digitally through the OCR's online portal. Auditees will be provided with draft findings and will have 10 business days to review and return such findings with comments. The auditor will then prepare a report within 30 business days of receiving comments.

Onsite audits, which will be more comprehensive than desk audits, will be conducted over a three to five day period at the auditee’s location. Like with desk audits, auditees will be provided with draft findings and will have 10 business days to review and return them with comments. The auditor will then prepare a report within 30 business days of receiving comments.

Now is the Time to Prepare and Assess Risks

Covered entities and business associates should take the appropriate steps to prepare for the possibility of a Phase 2 audit. It's not just a smart legal and business practice to evaluate whether your organization is safeguarding protected information, it's required by HIPAA.

In order to fulfill these requirements, all entities subject to HIPAA's Security Rule must run a risk assessment. Additionally, covered entities and business associates should review their HIPAA privacy policies and procedures to ensure that they are up-to-date with recent legal changes. Finally, covered entities and business associates should monitor their operations for purposes of HIPAA compliance.

Register now for your free, tailored, daily legal newsfeed service.

OCR begins Phase 2 audit program of covered entities and business associates
Blog Health Care Law Blog

Filed under

Topics

Laws

Organisations

Popular articles from this firm

Why Auctions Work for Maximizing the Value of Assets *

Golden Rules for Selecting Foreign Distributors and Agents *

UCC Corner: Missing Contract Terms - Pricing *

Michigan Adopts New Requirements for Controlled Substance Prescriptions *

Michigan Lakefront Property Owners - An Overview of Your "Riparian Rights" *

More from Health Care Law Blog

HIPAA Disclosures of Protected Health Information after Dobbs v. Jackson Women's Health Organization: Foster Swift Highlights Navigating Michigan and Federal Law

CMS Guidance Ends Waivers for COVID-19

Update to CMS Guidance on Shared Health Care Facilities

Licensing Flexibility Codified through SB 759

Impact of Biden's EO on Healthcare Industry

Related practical resources PRO

Related research hubs