Phase 2 of the HIPAA audits is fully underway, and covered entities now can take a breath if they have not received a desk audit request. But we still are at the beginning of Phase 2, with more to come.
Preparing for Audits. Some steps that covered entities and business associates can take to further prepare:
- Business associates should verify that risk analysis, risk management, and breach notification policies and procedures, and supporting documentation, are in place and readily available;
- Covered entities and business associates should leverage the Office for Civil Rights (“OCR”) audit protocol and other tools (such as the DWT HIPAA Audit Toolkit) to prepare for the possibility of an onsite audit and improve their compliance posture; and
- Covered entities should focus on likely areas of future desk audits, such as device and media controls, transmission security, privacy safeguards, privacy training, encryption and decryption, and facility access controls.
Where We’ve Been. OCR’s Phase 2 audits involve desk audits and onsite audits of covered entities and business associates. The desk audits began on March 21, 2016 with OCR sending e-mails to some covered entities and business associates verifying primary contact information. OCR sent follow-up e-mails with pre-screening questionnaires (to collect demographic information about the potential auditees) beginning April 4th. Then OCR sent e-mails initiating desk audits of 167 covered entities on July 11th. Covered entities either were audited on:
- Privacy/Breach practices for notice of privacy practices, the individual right of access, and breach notification; or
- Security practices concerning information security risk analysis and risk management.
Each audited covered entity also was required to provide a list of its business associates and associated contact information.
Next Up: Business Associates. Business associates are next in line for audits. OCR has indicated that it will conduct desk audits of business associates beginning as early as late September (although timing could be delayed). We do not know the exact number, but OCR is likely to desk audit between 33 and 83 business associates. OCR may select business associates for whom it previously had information (such as because they were identified in a complaint or breach report) and who previously received an e-mail verifying contact information, or from the lists that the 167 audited covered entities provided. Desk audits of business associates will focus on practices related to information security risk analysis, risk management, and breach notification to covered entities. Selected business associates likely also will be asked for a list of subcontractor business associates to assist OCR with augmenting its business associate list for future audits.
Therefore, business associates should verify that they have, in part:
- Policies and procedures governing risk analysis and management and breach notification;
- Copies of current and recent risk analyses and risk management plans;
- Evidence of appropriate internal distribution of and training on these documents;
- Copies of breach notifications to covered entities or breach risk assessments finding low probability of compromise; and
- The ability to generate a list of subcontractor business associates, including associated contact information.
And Don’t Forget the Full Audits. In addition to the desk audits, OCR is moving ahead with onsite, comprehensive audits. These audits have been delayed until 2017, and our understanding is that OCR plans to perform approximately 24 onsite audits (although this number is subject to change). It is these audits in which OCR will use the full audit protocol that was updated in April. We expect that covered entities and business associates will be notified of onsite audits next year via e-mail, followed by an entrance conference and a three- to five-day onsite audit. They then will receive a draft report and have only ten business days to respond to the draft findings (which could cover hundreds of audit inquiries).
Assessing compliance against the audit protocol is a daunting task and should be treated as a substantial compliance project. Accordingly, the time to start is now. Davis Wright Tremaine LLP has updated its HIPAA Audit Toolkits for covered entities and business associates to incorporate the revised audit protocol. The Toolkits include assessment tools that complement the protocol by providing additional information about what content should be in policies and procedures. Information about the Toolkits is available here.
And this is Only Phase 2. Based on an OCR presentation from 2014, future desk audits of covered entities likely will focus on:
- Device and media controls;
- Transmission security (e.g., encryption of e-mails and other communications);
- Privacy safeguards (e.g., physical security of paper records, administrative safeguards to reduce the risk of misdirected faxes, etc.);
- Privacy training; and
- Encryption of data at rest.
While the number of audits has changed since 2014, much of the remaining information in the 2014 presentation has proven accurate. Accordingly, now is a good time for covered entities to verify that they have policies and procedures with respect to the above HIPAA provisions in place, along with documentation demonstrating implementation of the policies and procedures (e.g., screen shots of security configurations, evidence of receipt of training, etc.).
OCR has indicated that the Phase 2 audits are the start of a more permanent audit program. Accordingly, while the first batch of desk audits is already out the door, covered entities and business associates should continue to prepare for the many audits to come. Such preparation also will improve overall compliance efforts, better preparing organizations for responding to OCR investigations that are triggered by complaints or breaches.