*This article was originally published on Law360. To view online, click here.
On March 21, 2016, the U.S. Department of Health and Human Services' Office for Civil Rights announced it was beginning its next round of audits of covered entities and business associates for compliance with the Health Insurance Portability and Accountability Act privacy rule, security rule, and breach notification rule (the phase two audits). The phase two audits will consist primarily of desk audits during which OCR will review policies and procedures implemented by covered entities and business associates to comply with HIPAA’s requirements, but some on-site audits also will be conducted. Covered entities and business associates should take this opportunity to prepare for potentially being the target of an audit by making sure that their HIPAA compliance programs and associated policies and procedures are fully up-to-date and are being implemented appropriately.
Previous HIPAA Audit Activity
OCR uses its audit program to assess the HIPAA compliance efforts of the full range of entities covered by the HIPAA regulations. The Health Information Technology for Economic and Clinical Health Act requires OCR to conduct periodic audits of compliance with the HIPAA requirements by covered entities and business associates. In 2011 and 2012, OCR conducted a pilot audit program, which evaluated the policies and procedures implemented by 115 covered entities (the phase one audits). At the conclusion of the pilot program, OCR noted its intention to implement a second round of audits covering both covered entities and business associates.
OCR at first indicated its intention to begin the second round of audits in the fall of 2014, but OCR later announced that this start date would be delayed, at least in part to give OCR time to test its new web portal. After not releasing any information about the timing of the phase two audits for an extended period of time, OCR recently had begun signaling strongly in statements at conferences and in its response to a report by the Office of Inspector General that the phase two audit program would begin in the near future. It also was announced in September 2015 that OCR had awarded the contract for conducting the phase two audits to FCi Federal. While OCR’s statements about the impending arrival of the phase two audits often indicated that OCR would release its new audit protocol before launching the phase 2 audit program, OCR apparently has decided to begin the information gathering phase of the phase two audits before releasing its audit protocol. According to the press release announcing the launch of the phase two audits, OCR plans to post the updated audit protocols to its website closer to conducting the 2016 audits.
OCR’s Current Information Gathering Activity
For now, OCR is sending emails to covered entities and business associates to verify and/or obtain contact information. OCR will then be transmitting pre-audit questionnaires to these entities. The questionnaires will be used to gather data about the size, type and operations of potential auditees, and will also require entities to identify their business associates. This data, along with other publicly available information and information in OCR’s possession, will be used to identify potential audit subject pools. Notably, entities that do not respond to OCR’s request for contact information or to the questionnaire may still be selected for an audit.
Every type of covered entity and business associate is eligible to be audited, including individual and organizational health care providers, health plans of all types and sizes, health care clearinghouses, and all types of business associates. OCR plans to audit a broad spectrum of entities so that it can assess compliance across the industry. In keeping with this goal, the criteria used in selecting entities to audit will include size of the entity; its affiliation with other health care organizations; the type of entity and its relationship to individuals; the public or private nature of the entity; geographic location; and present enforcement activity with OCR. OCR will not audit entities that currently are undergoing a compliance review or are the subject of an open complaint investigation.
OCR has not yet released definitive information regarding the number of entities that will be the subject of phase two audits. However, various reports have circulated that estimate phase two will consist of approximately 200 desk audits and 25 on-site audits.
Expected OCR Actions in the Near Future
While OCR is currently gathering information, covered entities and business associates should expect actual audit activities to begin within a few months. OCR notes in an FAQ on its website that phase two will consist of a first round of desk audits of covered entities followed by a second round of desk audits of business associates, and OCR expects both rounds of desk audits to be completed by the end of December 2016.
Given this deadline, it is no surprise that OCR expects to conduct each desk audit in a fairly expedited manner. Entities selected for audits will be notified of their selection for a desk audit via email. The notification letter will include initial requests for documentation, and covered entities and business associates will have 10 business days to submit the requested information via OCR’s new secure online portal. All documents will be required to be submitted electronically. OCR does not specify how long the auditor will have to complete its review of the submitted documents. However, once the auditor has submitted draft findings to the audited entity, the entity will have only 10 business days to review and provide written comments. The final audit report will be completed by the auditor within 30 days of receiving the comments. OCR will share a copy of the final report with the audited entity.
On-site audits will be more comprehensive than the desk audits, and they will cover a wider range of HIPAA requirements. In general, on-site audits will follow a process and time frame similar to the one being used for desk audits, although there is no indication that the initial notification letter will include a documentation request. Each on-site audit is expected to be conducted over three to five days, with the auditor’s draft findings being written after the on-site review has been completed.
Follow-Up Actions to Audits
OCR intends to use the results of the phase two audits primarily for compliance improvement activities, noting that it will use information obtained through the phase two audits to develop tools and guidance to assist covered entities and business associates with completing compliance self-evaluation and in preventing breaches. OCR also will rely on its phase two audit experience in developing its permanent audit program. However, OCR does reserve the right to initiate a compliance review if an audit identifies serious compliance issues.
Steps that Covered Entities and Business Associates Should Take Now
Given the launch of the phase two audits and the expedited time frame in which audits will be conducted once they are initiated, covered entities and business associates should take steps now to ensure that they are ready to respond, as they otherwise may find it difficult to meet the specified deadlines. Preparing for an audit now also minimizes the risk that an audit will identify significant problems, substantially lessening the risk that OCR will initiate a compliance investigation based on the audit results.
Specific steps to help prepare for an audit include:
- Develop an audit response plan. Covered entities and business associates should identify the individual who will take the lead in responding to an OCR audit request. In many cases, this individual will be an entity’s privacy officer and/or security officer, but there may be circumstances in which an entity may prefer to have another individual lead the audit response. Entities also should identify other individuals who may need to be involved in responding to an audit, determine the resources that these individuals can use in responding to the audit, and identify and locate all potentially relevant documentation.
- Continually check email inboxes for communications from OCR. Audit-related emails will be sent from OSOCRAudit@hhs.gov. Entities should make sure that communications from this address will not be diverted to junk or spam email folders, and OCR has stated its expectation that entities will check these locations for emails from it. Some larger organizations also may have the technological capability to automatically forward emails from this email address to a designated individual within the organization, even if OCR has addressed its email to a different person.
- Perform an assessment of existing HIPAA compliance programs and associated policies and procedures. Entities should assess their existing compliance policies and procedures to ensure that they meet current requirements. To the extent that this review identifies any compliance gaps, entities should promptly revise their policies and procedures and implement any changes needed to address the identified issues. Until the new audit protocol is released, entities also may want to consider completing the current audit protocol as part of their risk assessment process.
- Address areas of concern identified by previous OCR activities. As part of their compliance program reviews, entities should focus on ensuring that their HIPAA compliance activities address specific issues that have been identified by the phase one audits and/or recent OCR resolution agreements with providers. Most notably, the findings from OCR’s phase one audits noted that two-thirds of the entities audited lacked a complete and accurate risk assessment, and the recent resolution agreements that OCR has entered into with providers indicate that many entities still are not completing the required enterprise-wide risk analysis and/or are not implementing appropriate controls to address weaknesses identified by this analysis. A recent resolution agreement also emphasized the importance of executing a business associate agreement.
- Identify and locate business associate agreements and other HIPAA-required documentation. As noted above, OCR’s questionnaire will require entities to disclose their business associates. Compiling all existing business associate agreements now will allow an entity to quickly provide this information in response to the questionnaire, while at the same time providing an opportunity to confirm that all necessary business associate agreements are in place.
In addition to compiling all business associate agreements, entities also should make sure that all other documentation that could be asked for related to their HIPAA compliance program exists and can be compiled quickly. Related documentation includes, but is not limited to, copies of policies and procedures, training materials (and proof that training has been completed), and breach logs, as well as other documents such as written determinations explaining why addressable security rule specifications have not been implemented (if applicable).
- Keep an eye out for the release of OCR’s updated audit protocols. As noted earlier, OCR has stated that it will post the new protocols, which will reflect changes implemented by the HIPAA omnibus rulemaking, on its website closer to conducting the 2016 audits. Once the revised protocols are released, entities should consider conducting a mock audit response and putting together all of the documentation necessary to successfully respond to an audit. Organizations also may want to consider providing comments on the new protocols to OCR if they feel that any of the protocol requirements should be revised or are unduly burdensome.
Responding to a third-party audit can be disruptive to an organization, but this disruption can be minimized by entities that take proactive steps to prepare for such audits. By taking the steps outlined above, covered entities and business associates will be much better prepared to successfully respond to a phase two audit if they are selected as an audit target.