On Monday, March 21, 2016, launching Phase 2 of its HIPAA audit program, the HHS Office for Civil Rights began emailing certain health care providers (large and small) an inquiry to obtain or verify contact information for the health care provider. For those health care providers (and business associates) receiving the OCR inquiry email, the OCR will also soon be sending a screening questionnaire in anticipation of a HIPAA audit. The questionnaire is designed to gather data about the size, type, and operations of the health care provider and the identity of its business associates. An entity that fails to respond to the OCR’s pre-screening inquiries may still be selected for a HIPAA audit or a HIPAA compliance review.
The OCR will notify those health care providers and business associates who have been selected for an audit by email. Health care providers may be subject to a desk audit followed later by an onsite audit. The OCR expects health care providers who are subject to an audit to submit the requested documentation and information within 10 business days of the date on the request. Although the OCR describes the program as primarily a compliance improvement and technical assistance activity, the OCR can initiate a compliance review of a health care provider and then further investigate compliance issues it uncovers in the audit process.