May 6, 2021

Volume XI, Number 126


May 06, 2021

Subscribe to Latest Legal News and Analysis

May 05, 2021

Subscribe to Latest Legal News and Analysis

May 04, 2021

Subscribe to Latest Legal News and Analysis

May 03, 2021

Subscribe to Latest Legal News and Analysis

Phase 2 of HIPAA Compliance Audits Now Underway

The Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (DHHS) recently announced that it has initiated Phase 2 of its audit program to assess Covered Entities’ and Business Associate’s compliance with the Health Insurance Portability and Accountability Act (HIPAA) privacy, security, and breach notification rules (the HIPAA Audit Program).

OCR has been under scrutiny in recent years for its lack of oversight and enforcement activity. In September 2015, the Office of Inspector General (“OIG”) of DHHS released a report which concluded that the OCR needed to increase its oversight of Covered Entities’ and Business Associate’s compliance with the HIPAA Privacy Rule. OCR responded by stepping up its enforcement activities, including the initiation of Phase 2 of its HIPAA Audit Program.

In 2011 and 2012, OCR implemented Phase 1 of the HIPAA Audit Program, by assessing the controls and processes implemented by a small sample of Covered Entities. Phase 2 of the HIPAA Audit Program will extend to Business Associates.

Covered Entities and Business Associates who are selected for the audit will receive an email from OCR requesting that contact information be provided to OCR. OCR will then transmit a pre-audit questionnaire to gather information about the Covered Entity or Business Associate, which will be used to create potential audit subject pools. OCR has indicated that a Covered Entity or Business Associate may be selected for an audit or subject to a compliance review, even if it does not verify its contact information or submit a pre-audit questionnaire.

OCR will notify the Covered Entities and Business Associates that have been selected for an audit. OCR will be performing two types of audits – a “desk audit” and an “onsite audit.” If an entity is subject to a “desk audit”, OCR will submit a document request to the Covered Entity or Business Associate, and the entity will have ten business days to submit documentation responsive to OCR’s request. If an entity is subject to an “onsite audit”, OCR will conduct a three to five day onsite audit of the entity. OCR has not yet posted its updated audit protocol that reflects the HIPAA Omnibus rulemaking on is website, but states that it will do so prior to conducting the 2016 audits. OCR will draft a report of its findings from either the desk audit or the onsite audit, and Covered Entities and Business Associates will have the opportunity to review and comment on the draft report. The auditor will complete a final audit report for each entity within thirty business days of the initiation of the audit. In the event that an audit report indicates a serious compliance issue, OCR may initiate a compliance review to further investigate the Covered Entity or Business Associate. Covered Entities and Business Associates may be fined for non-compliance.

What You Should Do Now

Covered Entities and Business Associates should prepare now to respond to OCR audit requests and proactively address any outstanding HIPAA compliance issues within their organization. Some key areas of compliance include:

  • Conducting regular security risk assessments and documenting corrective actions to address identified risks,

  • Ensuring that the organization has adequate, documented HIPAA compliance policies and procedures (including protections for laptops and mobile devices and other key areas for risk of breaches), and

  • Providing HIPAA training to employees.

OCR recently released a crosswalk, developed with the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health IT (ONC) that maps the NIST Framework for Improving Critical Infrastructure Cybersecurity and the HIPAA Security Rule. Covered Entities and Business Associates should assess their security policies and procedures in the context of this recently released framework and the HIPAA Audit Protocol when considering the adequacy of their security posture.

© 2021 Foley & Lardner LLPNational Law Review, Volume VI, Number 83



About this Author

M. Leeann Habte, Foley Lardner, Health Care Lawyer, Los Angeles
Senior Counsel

Leeann Habte is senior counsel and a health care business lawyer with Foley & Lardner LLP. A former director at UCLA and the Minnesota Department of Health, she has practical experience in developing and implementing health care data privacy and security policies and procedures, managing IT resources, and human subjects protection compliance. Ms. Habte is a member of the Health Care and Life Sciences Industry Teams and Privacy, Security & Information Management Practice. She is also a Certified Information Privacy Professional.

Claire Marblestone, health care lawyer, Foley and Lardner, Law firm

Claire Marblestone is a Partner and health care lawyer with Foley & Lardner LLP. Her practice focuses on transactional and health care regulatory matters, with an emphasis on HIPAA compliance, the Anti-Kickback Statute, Stark law, provider enrollment, and licensure and certification. She advises a number of clients, including hospitals, health systems and physician groups on regulatory and compliance issues presented by telemedicine and telehealth.