The Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) announced on March 21, 2016, that it has officially begun Phase 2 of its Health Insurance Portability and Accountability Act (HIPAA) Audit Program. Phase 2 will consist of more than 200 desk and onsite audits of both covered entities and business associates to determine their compliance with the Privacy, Security, and Breach Notification Rules. By contrast, the Phase 1 pilot audit program conducted in 2011 and 2012 targeted only covered entities and involved just 115 audits.

The Process

According to an OCR press release, Phase 2 will include “a broad spectrum of audit candidates” that OCR will randomly select from pools that “represent a wide range of health care providers, health plans, health care clearinghouses and business associates.”

Selection

• OCR has already begun sending out communications to covered entities “of various types” to verify their contact information for future communications. 

• Once contact information is verified, OCR will distribute a pre-audit screening questionnaire to gather data “about the size, type and operations of potential auditees,” including having covered entities identify their business associates, if any. 

• OCR will create audit pools based on the responses to these pre-audit screening questionnaires, from which it will select a random sample of entities in the audit pool.

Desk Audits

• OCR “expects covered entities that are the subject of an audit to submit requested information via OCR’s secure portal within 10 business days of the date on the information request.” In addition, all documents must be in digital form and must be submitted electronically to a secure online portal that OCR has specifically developed for Phase 2.

• After selected entities are notified of their participation, OCR will begin a round of desk audits for covered entities, followed by a round of desk audits for business associates. 

• All desk audits will be completed by the end of December 2016. 

• It is important to note that desk auditees may be subject to a subsequent onsite audit.

Onsite Audits

After the desk audits, OCR will conduct onsite audits to examine “a broader scope of requirements from the HIPAA Rules than desk audits.”

• Those entities that are selected for an onsite audit will be informed by email of their selection, and an auditor will schedule a conference to provide more information about the onsite audit process. 

• OCR expects each onsite audit to be conducted over three to five days, depending on the size of the entity. 

• OCR has not indicated if onsite audits for health care providers such as home health agencies will include both the entity’s site and the patient sites.

• OCR has not yet set a timeline for onsite audits.

Follow-up

At the conclusion of desk audits and onsite audits, OCR will provide the auditee with draft findings. OCR has not yet established a time frame for when the draft findings might be provided. Auditees are allowed a period of 10 business days to respond to the draft findings. Within 30 business days of receiving the response, or from the close of the response period if no response is received, OCR will issue a final audit report.

After the audit process, OCR will review and analyze the information from the final reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful, and then work to develop tools and guidance to assist the HIPAA-regulated industry with self-compliance and evaluation and with preventing breaches.

While Phase 2 audits are not intended “to be a punitive mechanism,” serious compliance issues may nevertheless prompt OCR to further investigate an entity and possibly initiate a compliance review. In addition, OCR may be required to release audit notification letters and other information about audits in response to Freedom of Information Act requests.

Responsibility

Entities should be prepared to verify their contact information and to respond to OCR’s pre-audit screening questionnaire, including providing the names of business associates if requested. The individual identified to OCR as the primary contact at covered entities and business associates should be on the lookout for email communications from OCR, including checking their junk or spam email folders for emails from OCR. When a covered entity or business associate does not respond to a communication from OCR, OCR will use publically available information to create its audit pool, and the entity may nevertheless be selected for an audit or subject to a compliance review.