Are You Ready for Round Two (of HIPAA Compliance Audits)?
In February 2014, the Health and Human Services Office of Civil Rights (“OCR”) announced its plans to send pre-audit surveys to between 550 and 800 entities during the summer in preparation for Phase 2 HIPAA compliance audits. After collecting information from those surveyed, OCR will select about 400 of those entities for actual HIPAA audits. Those audits will begin this fall – which is quickly approaching.
Of the 400 entities selected for audit, it is anticipated that 350 will be covered entities (further broken down as 232 health care providers, 109 health plans, and 9 health care clearinghouses) and the remaining organizations will be business associates. This is the first time the government will audit business associates. In addition to the increased scope, there a number of ways in which the Phase 1 audits (conducted in 2011 and 2012) differ from the upcoming round:
Contractors conducted Phase 1 audits, but OCR staff will primarily conduct Phase 2.
Phase 2 audits will target the HIPAA Standards, which the Phase 1 audits yielded high non-compliance numbers. The audits will be broken down by type: 100 entities will be audited for compliance with the Privacy Rule (including Notices of Privacy Practices and patient access to PHI); 100 will be audited on content and timeliness of notifications under the Breach Notification Rule; and 150 will be audited on the risk analysis and management standards of the Security Rule. Business associates will only be audited for risk analysis, risk management, and breach reporting to covered entities.
Phase 2 will not consist of on-site visits, but rather desk-audits. Auditors will not have the opportunity to seek clarification or additional data and only data submitted on time will be considered.
OCR has indicated that Phase 2 and future audits may be tied to enforcement, whereas the findings from Phase 1 were not used for enforcement purposes.