On March 21, 2016, the Office for Civil Rights of the Department of Health and Human Services announced Phase 2 of its HIPAA Audit Program.  The Health Information Technology for Economic and Clinical Health Act (HITECH) required HHS to perform periodic audits of covered entities and business associates to assess their compliance with the HIPAA Privacy, Security and Breach Notification Rules.  These rules are enforced by the HHS Office for Civil Rights (OCR).

Background on Phase 1

In 2011, OCR implemented a pilot audit program to assess the controls and processes covered entities have adopted to meet their HIPAA obligations.  The pilot audit program was conducted in three phases.  OCR first developed a set of audit protocols that it would use to evaluate covered entities’ compliance.  This protocol was then tested using a limited number of audits.   The final step involved using the revised audit protocols on a larger number of covered entities.  Ultimately, 115 covered entities were selected for review, and all audits were concluded by December 31, 2012.

Phase 2

Phase 2 of the HIPAA Audit Program will focus on the policies and procedures adopted and employed by entities to meet the requirements of the Privacy, Security, and Breach Notification Rules.  OCR has indicated that these audits will be conducted primary through desk audits (i.e., document submissions), although by a limited number of on-site audits will also be conducted.

Unlike Phase 1, which focused exclusively on covered entities, OCR is indicating that Phase 2 will involve audits of both covered entities and their business associates.

As with the initial pilot audit program, Phase 2 will consist of several stages.  The first stage involves verification of a covered entity’s or business associate’s address and contact information.  A sample address verification letter can be viewed by clicking here.  OCR has indicated that emails will be sent to entities requesting accurate contact information for the entity.  OCR will then transmit a “pre-audit questionnaire” to the entity.  These questionnaires will be used to gather data about the size, type, and operations of potential auditees.  Based on this data, OCR will create potential audit subject pools.

Note: OCR has indicated that if an entity fails to respond to OCR’s request to validate its contact information and/or fails to return the pre-audit questionnaire, OCR will use publicly available information about the entity to create its audit subject pool.  As a result, an entity that fails to respond may still be selected for audit and/or compliance review.  OCR is specifically reminding entities to check their email “junk” or “spam” folders for any communications from OCR.

Once OCR has developed its audit subject pools, it will randomly select auditees from these pools.  Auditees will then be notified by OCR of their participation.  OCR has indicated that the first set of audits will focus on covered entities, with a subsequent round of audits focused on business associates.  These audits will focus on compliance with specific requirements of the Privacy, Security, or Breach Notification Rules.  Auditees will be notified of the scope of their audit in a document request letter.  Both of these rounds will be desk audits.  OCR indicated that all desk audits will be completed by the end of December 2016.

A third round of on-site audits will take place after the completion of the desk audits, and will examine a broader scope of requirements under HIPAA.  OCR further indicated that desk auditees may also be subject to on-site audits.

If an entity is selected for audit, OCR will notify them by email.  The email will introduce the OCR audit team, explain the audit process, and discuss OCR’s expectations in greater detail.  The email notification letter will also include initial requests for documentation.  OCR has indicated that it will expect entities to respond to these documentation requests within ten (10) business days.  Documents will be submitted through a new secure online portal.  Once received, OCR’s auditors will review the submitted information and inform the entity of its draft findings.  The entity will then have ten (10) business days to respond with written comments, if any.  OCR will then review the entity’s comments and issue a final audit report within thirty (30) business days.

OCR has indicated that the audits are primarily intended as a compliance improvement activity.  OCR will use aggregated data to better understand compliance with respect to particular aspects of the HIPAA rules.  The goal being to understand what types of technical assistance and/or corrective actions would be most helpful.  In other words, OCR is indicating that the goal of these audits is to improve its understanding of the state of compliance, and not to penalize specific companies for violations.  However, OCR indicated that should an audit reveal a serious compliance issue, OCR may initiate a further compliance review of the company.

OCR indicated that it will not post a list of the audited entities, nor will its findings be available in a format that would clearly identify the audited entity.  However, OCR noted that audit notification letters and other information regarding these audits may be discoverable under the Freedom of Information Act (FOIA).

Additional information from OCR regarding the Phase 2 HIPAA Audit Program can be obtained by clicking here.