Phase 2 HIPAA Audits Underway
Thursday, April 21, 2016
Doctor, Health, HIPAA
Print Mail Download i

Phase 2 HIPAA Audits Underway

The HHS Office for Civil Rights (OCR) has begun its effort to audit covered entities and business associates for compliance with HIPAA. We have previously reported on OCR’s preparations for these proactive audits.

OCR implemented Phase 1 of the program in 2011 as a pilot program, under which OCR evaluated the efforts of 115 covered entities to comply with HIPAA.  OCR described the pilot program as a “compliance improvement activity,” explaining that “OCR used the audit reports to determine what types of technical assistance should be developed and what types of corrective action are most effective.”

In March, OCR announced the launch of Phase 2 of the HIPAA Audit program, under which it will expand to more covered entities and, for the first time, include proactive audits of business associates.  OCR explained that it will send covered entities and business associates, via email, a “pre-audit questionnaire” to gather data about the size, type, and operations of potential auditees to create audit subject pools.

Any covered entity or business associate may receive a pre-audit questionnaire. OCR has said that it will seek a “broad spectrum of audit candidates,” based on size, types, and operations.  Covered entities will be asked to identify their business associates.  Then, OCR will choose auditees based on a random sampling of the audit pool.  Covered entities and business associates that fail to respond to the questionnaire may still be part of the audit pool; OCR notes it will fill out the questionnaire based on publicly available data about the entity.

As Phase 2 moves forward, OCR states that these audits will, at first, consist of desk audits that review the HIPAA policies and procedures of the selected covered entities and business associates.  OCR plans to focus first on covered entities and then on business associates.  OCR then plans to conduct a third set of audits that will examine a “broader scope of requirements,” and some desk audits may turn into on-site audits.

As the OCR audits proceed, covered entities and business associates should take this opportunity to ensure that that HIPAA compliance programs are sound and that policies and procedures are up to date.

© 2024 Covington & Burling LLP

Current Legal Analysis

More from Covington & Burling LLP

Standing Issues in Data Breach Litigation: An Overview
by: Priscilla Fasoro , Lauren Wiseman
Financial Agencies Release Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing
by: Lucille C. Bartholomew
Senate Confirms Kraninger as BCFP Director
by: Luis Urbina
FTC Solicits Public Comment on Identity Theft Detection Rules
by: S. Burr Eckstut
Significant FDA Digital Health Policy Development for Prescription Drug Sponsors
by: Mingham Ji , Christina G. Kuhn
First Significant Pay-to-Play Legislation for the District of Columbia Approved by D.C. Council
by: Kevin Glandon
FTC Settles with PR Firm and Publisher Over Social Media Endorsements
by: Inside Privacy Blog at Covington and Burling
Senate Testimony Highlights Tensions in BSA/AML Reform Efforts as Lawmakers Consider Bipartisan Legislation
by: Sam Adriance
Reprieve in U.S.-China Trade Tensions: U.S. Tariffs on $200 Billion in Chinese Imports to Stay at 10 Percent for 90 Days; China to Purchase U.S. Goods
by: Christopher Adams , John Veroneau
AI Update: FCC Hosts Inaugural Forum on Artificial Intelligence
by: Thomas Parisi

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins