OCR’s Highly Anticipated Phase 2 HIPAA Audits Are Underway
Wednesday, March 23, 2016
HIPAA, OCR’s Highly Anticipated Phase 2 Audits Are Underway
Print Mail Download i

On Monday, the HHS Office for Civil Rights (OCR) announced it has rolled out Phase 2 of its HIPAA audits, and entities have already begun receiving initial emails from OCR seeking audit contact information. The Phase 2 Audit Program is aimed at reviewing the policies and procedures of selected covered entities and their business associates to evaluate compliance with the HIPAA Privacy, Security and Breach Notification Rules. OCR’s announcement comes after data breaches in the health care industry compromised over 112 million records in 2015, according to OCR. 

Phase 1 Audits 

The HITECH Act required OCR to conduct periodic audits of covered entities and their business associates. Beginning in late 2011, OCR implemented a pilot audit program to assess the privacy and security controls and processes implemented by 115 covered entities across the country. Auditors then made site visits to each covered entity to evaluate compliance efforts. Following the site visits, auditors drafted a report describing how the audit was conducted, the compliance findings, and what actions the covered entity had taken in response to those findings. The covered entity then had an opportunity to develop corrective actions to address any identified concerns. The final report submitted to OCR incorporated the steps the covered entity took to resolve any compliance issues. 

OCR reviewed the final reports to better understand compliance efforts with respect to the HIPAA Privacy, Security and Breach Notification Rules. In particular, OCR studied the final reports to ascertain what types of technical assistance should be developed and what forms of corrective action are the most effective. In reviewing the final reports, OCR determined several common shortcomings among covered entities, including inadequate risk analysis, outdated policies and procedures, and non-existent contingency plans. 

OCR then announced its intentions to initiate a permanent audit program that was originally slated to begin in 2014. However, due to a lack of funding, OCR delayed the program. In May 2015, OCR began sending pre-audit screening surveys to covered entities classified as potential candidates for a Phase 2 Audit Program. In late 2015, OCR confirmed Phase 2 audits would begin in early 2016. 

Phase 2 Audits 

In the Phase 2 Audit Program, there will be a few significant changes from Phase 1 audits. First, business associates will be included in this round of audits. Additionally, most of the audits will be desk audits while only a few may ultimately result in more extensive on-site audits. 

Phase 2 has already begun, with OCR sending out emails to covered entities to verify contact information. Every covered entity and business associate is eligible for an audit. Once OCR confirms an entity’s contact information, it will transmit a pre-audit questionnaire to gather data that will be used to create potential audit subject pools. OCR will then identify pools of covered entities and business associates who represent a wide range of organizations subject to the HIPAA Rules. 

The Phase 2 Audit Program will be a three step audit process. The first set of audits will be desk audits of covered entities followed by a second round of desk audits of business associates. The desk audits will examine specific compliance requirements of the Privacy, Security and Breach Notification Rules. According to OCR, all desk audits will be completed by the end of December 2016. Finally, while OCR states there will be fewer in-person audits than in the Phase 1 Audit Program, a third set of audits may be conducted onsite, which will be more comprehensive than desk audits and cover a broader range of HIPAA requirements. 

In an effort to promote transparency, OCR will post audit protocols on its website closer to the 2016 audits. OCR has also announced the procedures used and results found in the Phase 2 audits will be evaluated so as to develop a permanent HIPAA audit program. 

Implications for Health Care Entities 

The launch of the Phase 2 Audit Program confirms OCR’s commitment to the evaluation of compliance with and enforcement of the HIPAA Privacy, Security and Breach Notification Rules. 

If you are an entity subject to the HIPAA Rules, be on the lookout for emails from OCR and review your HIPAA policies and procedures, risk analysis, and other compliance documents.

OCR’s announcement regarding the launch of Phase 2 of the HIPAA Audit Program can be found here. 

© 2024 Dinsmore & Shohl LLP. All rights reserved.

Current Legal Analysis

More from Dinsmore & Shohl LLP

National Security of Data? U.S. Government Issues Executive Order Aimed at Protecting Americans’ Personal Data: How Does New Cyber Security Executive Order Affect Your Business?
by: Craig S. Horbus , Jarman J. Smith
H-1B Lottery Ends: You’ve Been Selected! Now What?
by: Barbara W. Menefee , Nathan Hall
California Employers on Deadline: Workplace Violence Prevention Plan Required by July 1
by: Olivia B. Perry
Lawsuit Challenges New USCIS Fee Rule
by: Dwight D. Myfelt , Barbara W. Menefee
U.S. District Court: The Corporate Transparency Act is Unconstitutional…for Some Businesses
by: Eric S. Fox
Supreme Court Issues Warning for Public Officials Using Social Media
by: Justin M. Burns , Keeley B. Gogul
PPP Loan Investigations and Prosecutions are on the Rise
by: Dinsmore & Shohl LLP
Ohio Supreme Court Allows Workplace Cities to Tax Remote Workers During COVID
by: Rebecca D. Conrad
Still on Top: Cybersecurity Incidents Ranked #1 Global Business Threat in 2024
by: Craig S. Horbus
Smooth Sailing: U.S. Department of State Reports Success with H-1B Visa Renewal Program
by: Kelli L. Hayes , Dwight D. Myfelt

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins