After a considerable delay, the HHS Office for Civil Rights has officially launched Phase 2 of its HIPAA audit program to assess compliance with the privacy, security and breach notification rules.

The agency said that part of the reason for the delay in the program was that it needed to implement improved technology, including deployment of a secure web portal for organizations to submit information,

Adam Greene, an attorney at the Davis Wright Tremaine law firm and a former OCR official, believes updated audit protocols will be issued soon, as covered entities already are receiving initial audit contact emails asking for information that OCR will use to decide which organizations to audit. Covered entities and business associates should get ready now, because they only have 10 days to produce requested documents and 10 days to respond to a draft audit report, he adds.

In the launch announcement, OCR did not specify how many such audits will be done during 2016; the agency also did not respond to an email query on the number of audits. In previous presentations, OCR has said it expected about 200 audits, and HIPAA attorneys Valerie Breslin Montague and Laurie Cohen of the Nixon Peabody law firm say they believe that number is about right.

Most audits will be “desk audits,” with OCR sending covered entities and business associates of all sizes, types and functions an email stating they have been selected for an audit and specifying information the agency would like submitted via a secure portal. Click here for a sample email letter.

“Communications from OCR will be sent via email and may be incorrectly classified as spam,” the agency warns. “If your entity’s spam filtering and virus protection are automatically enabled, we expect entities to check their junk mail or spam email folder for emails from OCR.”

Linn Freedman
Linn Freedman

The first set of audit notices will be sent to covered entities, with a second set going to business associates. All audits are expected to be completed by the end of 2016.

An undisclosed number of audits will be on-site visits. “There will be fewer in-person visits during these Phase 2 audits than in Phase 1, but auditees should be prepared for a site visit when OCR deems it appropriate,” according to the agency. Onsite audits will take three to five days and will be more comprehensive than desk audits, covering a wider range of HIPAA requirements.

Entities not responding to an emailed request for information may still be selected for an audit. OCR will assess results of the Phase 2 audits to inform development of a permanent audit program.

Also See: OCR now focusing on business associate agreements

With the launch of Phase 2, David Holtzman, vice president of compliance strategies at security vendor CynergisTek and a former OCR official, says now is the time for covered entities and business associates to review and update HIPAA policies and procedures.

Major provisions that could be covered in an audit, according to Holtzman and Greene, include an enterprisewide risk assessment along with mitigation plans (risk management), meeting HIPAA requirements to give patients access to their records upon request, understanding the processes and content of breach notifications, and notice of privacy practices.

The big change in Phase 2 of HIPAA audits is the inclusion of business associates, as OCR said that BAs would be in Phase I but were not, says Linn Freedman, a HIPAA attorney at the Robinson & Cole law firm in Providence, R.I. That’s important because BAs are a significant source of breaches. She expects that when OCR audits BAs, it will closely examine their processes for ensuring subcontractors sufficiently secure protected health information.

For covered entities and BAs selected for audits, Freedman gives a warning: “It’s a scary process if you’re chosen. It’s never a pleasant process to undergo an audit or investigation. It’s rigorous. My advice is you should get ready.”

Information from OCR on the audit process is available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access