Though the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has told organizations to expect the Phase 2 HIPAA audits soon for almost two years now, it appears that the audits truly are around the corner. In September, OCR Director Jocelyn Samuelsconfirmed that the next phase of the audit program will be launched soon, and the agency is stepping up its HIPAA oversight efforts. OCR also recently confirmed that it had selected a vendor to conduct the Phase 2 Audits. Before these audits start, there are a few key things to make sure your organization is doing in order to be fully prepared. 

The 2009 HITECH Act mandated that OCR conduct periodic audits of covered entities and business associates for compliance with HIPAA requirements. In 2012, OCR conducted a pilot audit program involving 115 covered entities. Those audits, based on the Phase 1 audit protocol, identified best practices and highest areas of risk for covered entities involved. Security issues were most common, and almost two-thirds of entities had not conducted an adequate security risk analysis. 

From what we know so far, the Phase 2 audits appear to be more focused and higher stakes. OCR has stated that a revised audit protocol will be released, but a date for such release has not yet been set. In addition, the Phase 2 audits will reach not only covered entities, but also business associates. The audits will be:

  • more limited in scope, focusing on specific areas of common non-compliance;
  • primarily “desk audits,” in which entities will be required to submit documentation electronically, in accordance with tight deadlines, with no opportunity for follow-up or clarification; and
  • a vehicle for OCR to identify best practices, but may lead to further investigation and referral to a regional office for a comprehensive compliance review.

The good news is, there’s still time to prepare. What can your organization do to be ready in case you’re selected for a Phase 2 HIPAA audit?

  • Maintain a robust privacy and security program. The best preparation is done on an ongoing basis and is incorporated into your organization’s compliance plan. 
  • Prioritize. If your compliance program is not yet where you’d like it to be, take this time to focus on areas that OCR has identified as areas of heightened interest:
    • Risk analysis and management
    • Breach reporting
    • Encryption and decryption
    • Transmission security
    • Training
    • Access controls and authentication
    • Patient access
    • Individual rights
  • Identify gaps and remediate accordingly. Identify the gaps uncovered by risk assessments and audits, as well as compliance reviews. Document the remediation measures taken to address each gap.
  • If you’re doing it, document it. These audits will be primarily desk audits — which means that unless you have documentation you can submit to OCR, you may not get credit for the privacy- and security-focused practices at your organization. In particular, keep in mind the following:
    • Policies and procedures should be updated to reflect organizational changes, as well as changes to HIPAA/HITECH requirements.
    • Document policy compliance and training completion.
    • Ensure documentation is clear and complete.
    • Create a timeline of compliance activities.
    • Retain documents as appropriate (e.g., six years for training documents, in accordance with HIPAA).
    • Centralize your policies, incident response plans, risk analyses and management plans, and logs of procedures. 
    • Maintain a current list of business associates and their contact information, as well as copies of each business associate agreement.
  • Know your team. Identify someone to lead the document collection and production efforts, serving as the main point of contact for OCR. Know which individuals are responsible for each issue area, and educate them on what to expect if selected for a HIPAA audit.
  • Learn from the past. Pay special attention to recent settlements to see where OCR has focused its enforcement authority and how it’s determining penalties and corrective action plans. OCR has recently stepped up its enforcement activity, publishing three settlement agreements in the last month alone, including one agreement that resulted in a US$3.5 million payment. Remember, Phase 2 audits will have the potential to expand to compliance reviews, which can result in enforcement actions. Spending the time and resources up front to be prepared could result in savings down the road.
  • Timing is everything, and practice makes perfect. It has been reported that the Phase 2 audits will have a ten day turnaround time, which will require your organization to locate documentation quickly. Complete a walkthrough/mock audit (use the Phase 1 audit protocol until the new protocol is released). Apply actual OCR audit timelines, and create a list of the tough issues that might arise. Prepare for them in advance, and then use the findings of the mock audit to enhance preparedness.