On March 21, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced it was beginning its next round of audits of covered entities and business associates for compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule (the “Phase 2” audits). OCR’s audit program is designed to help OCR assess the HIPAA compliance efforts of the full range of entities covered by the HIPAA regulations. In 2011 and 2012, OCR conducted its Phase 1 audits, evaluating 115 covered entities. With Phase 2, OCR intends to expand its audit pool to cover business associates, as well as additional covered entities. The Phase 2 audits will consist primarily of desk audits, during which OCR will review policies and procedures implemented by covered entities and business associates to comply with HIPAA’s requirements, but some on-site audits also will be conducted.
OCR’s initial Phase 2 audit activities consist of gathering information from covered entities and business associates, including information about the size, type, and operations of potential auditees. This data, along with other publicly available information and information in OCR’s possession, will be used to identify potential audit subject pools. Once OCR has identified potential audit subjects, covered entities and business associates should expect the Phase 2 audit process to proceed very quickly. According to the FAQ posted on its website, OCR expects all of the Phase 2 desk audits to be completed by the end of December 2016. Not surprisingly given this deadline, OCR expects each desk audit to be conducted in an expedited fashion, with entities having only 10 business days to respond to initial document requests. Auditees also will have only 10 business days to review and provide written comments on the auditor’s draft findings, with the auditor then needing to complete the final audit report within 30 days of receiving the comments.
Covered entities and business associates should act now to make sure they are ready to promptly respond in the event that they become the target of an audit. More importantly, covered entities and business associates should review their existing HIPAA compliance programs and latest risk assessments to ensure that they meet current requirements. To the extent that an entity identifies potential gaps in its program, the entity promptly should revise its compliance program to address the identified shortcomings. Entities also should make sure that documentation related to their HIPAA compliance program, such as risk analyses, business associate agreements, and documentation that training has been provided to workforce members, exists and can be compiled quickly. Taking these steps now will enable covered entities and business associates to quickly respond to a document request if they are selected as an auditee and decreases the likelihood that an audit will identify significant gaps in their HIPAA compliance efforts.