July 15, 2018

July 13, 2018

Subscribe to Latest Legal News and Analysis

Phase 2 HIPAA Audits Are Underway: Department of Health and Human Services Office for Civil Rights

In Depth

The US Department of Health and Human Services Office for Civil Rights (OCR) announced on March 21, 2016, that it would soon begin a second phase of audits (Phase 2 Audits) of compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security and breach notification standards (HIPAA Standards) as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR will conduct Phase 2 Audits of both covered entities and their business associates, unlike the pilot audits of 2011 and 2012 (Phase 1 Audits), which focused on covered entities alone.

The HIPAA Standards define “covered entities” as follows:

  • Health plans, including individual health plans, employer-sponsored group health plans, health insurers and health maintenance organizations

  • Health care clearinghouses that process and reformat health information

  • Health care providers that transmit protected health information (PHI) electronically in financial or administrative transactions covered by HIPAA’s administrative requirements 

Under ERISA, a group health plan and the employer that sponsors the plan are separate legal entities. The employer sponsor of the group health plan is not a covered entity, but the group health plan that the employer sponsors is a covered entity. The HIPAA Standards cover many types of group health plans, including medical, dental, vision, prescription drug, health care flexible spending account plans, and certain wellness and employee assistance programs. An employer often relies on third parties (business associates) to perform many of the health plan’s functions, such as recordkeeping, claims processing, utilization review and case management. A covered entity group health plan is required to enter into a business associate agreement with its service providers before disclosing plan participants’ PHI, and these service providers also have obligations under the HIPAA Standards.

Phase 2 Audit Process

The Phase 2 Audits are intended to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities. OCR will use the Phase 2 Audit findings to identify technical assistance that it should develop for covered entities and business associates, and to build a permanent HIPAA audit program. In circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties. OCR’s enforcement activities have resulted in $11 million in settlements since fall 2015. 

OCR has randomly selected a pool of covered entities and business associates for Phase 2 Audits, and emails have already been issued to potential audit targets with a pre-screening questionnaire to collect demographic and business associate information. OCR will use this information to select approximately 200 targets on which to perform desk audits, which it intends to complete by the end of 2016.

Covered entities and business associates will have a short timeframe (approximately 10 days) to respond to OCR’s audit request, submit requested documentation to an online portal and identify business associates. Audited entities will have the opportunity to review findings and provide written comments to the auditor before the audit report is finalized. OCR will take into account management’s response and issue a final report of its findings. Failure to respond to a request could lead to a referral to the applicable OCR Regional Office for a compliance review. In addition, certain desk audits may evolve into onsite audits. 

The Phase 2 Audits will target HIPAA Standards with high occurrences of non-compliance in the Phase 1 Audits, including risk analysis and risk management; content and timeliness of breach notifications; notice of privacy practices; individual access; the Privacy Standards’ reasonable safeguards requirement; training on policies and procedures; device and media controls; transmission security; and cybersecurity. In connection with the Phase 2 audits, OCR issued a revised HIPAA Audit Protocol, which will be useful to covered entities and business associates in assessing compliance with the HIPAA Standards.

How to Prepare for Phase 2 Audits and OCR Enforcement

Covered entities, including employers that sponsor group health plans, and their business associates should take the following steps to ensure that they are prepared for a potential Phase 2 Audit:

  • Confirm that the organization has recently completed a comprehensive assessment of potential security risks and vulnerabilities to the organization (the Risk Assessment).

  • Confirm that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to completion.

  • Use the results of the Risk Assessment to implement a robust risk management program.

  • Ensure that the organization has a complete inventory of business associates for purposes of the Phase 2 Audit data requests, and that business associate agreements (i) have been updated to comply with the most recent requirements and (ii) have been executed.

  • Confirm that all required HIPAA privacy and security policies are in place and up to date.

  • Confirm that the entity’s Notice of Privacy Practices is up to date and that procedures are in place for providing the Notice to plan participants and other individuals.

  • Document training of work force members.

  • Ensure that plan documents have been amended to incorporate HIPAA-required provisions, and that the plan sponsor has certified to the plan that the proper amendments have been made.

  • Conduct and document an updated security risk analysis; if deficiencies exist, correct them and document.

  • If the organization has not implemented certain of the Security Standards’ addressable implementation standards for any of its information systems, confirm that the organization has documented (i) the reason for its conclusion that the standard was not reasonable and appropriate, and (ii) all alternative security measures that were implemented.

  • Ensure that the organization has implemented a breach notification policy that accurately reflects the content and deadline requirements for breach notification under the Breach Notification Standards, and that breach notification procedures are in place with business associates.

  • Ensure that the organization has reasonable and appropriate safeguards in place for PHI that exists in any form, including paper and verbal PHI.

  • Confirm that the organization maintains an inventory of information system assets, including mobile devices (even in a bring-your-own device environment).

  • Confirm that all systems and software that transmit electronic PHI employ encryption technology, or that the organization has documented the risk analysis supporting the decision not to employ encryption.

  • Confirm that the organization has adopted a facility security plan for each physical location that stores or otherwise has access to PHI, in addition to a security policy that requires a physical security plan.

  • Review the organization’s HIPAA security policies to identify any actions that have not been completed as required (e.g., physical security plans, disaster recovery plan, emergency access procedures).

© 2018 McDermott Will & Emery


About this Author

Ann Killilea, McDermott Will Emery Law firm, Employee Benefits Attorney

Ann Killilea is counsel in the law firm of McDermott Will & Emery LLP and is based in the Firm's Boston office.  Ann brings to the Firm and to its Global Privacy and Data Protection Affinity Group more than 25 years of experience as senior in-house corporate counsel advising Hewlett-Packard Company (HP), and its predecessor companies Compaq Computer Corporation and Digital Equipment Corporation, all multinational companies in the information technology industry.