On March 21, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced the commencement of its Phase II Health Insurance Portability and Accountability Act (HIPAA) audit program. Phase II marks the second part of OCR’s efforts to satisfy an obligation mandated by Congress under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The program is significant for covered entities such as group health plans and business associates, as either may be contacted through the audit effort.

How will Phase II proceed?

OCR will address Phase II in three stages.

1. Stage 1 involves a desk audit of covered entities. OCR anticipates that Stage 1 will be completed by the end of 2016.

2. Stage 2 will be a desk audit of business associates.

3. Stage 3 will include on-site audits of both covered entities and business associates. Inclusion in Stages 1 or 2 will not preclude a covered entity or business associate from being subject to Stage 3.

On March 21, OCR sent e-mail correspondence to covered entities to confirm contact information. A model copy of the letter is available at www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index. Covered entities should understand that failing to respond to the letter will not avoid the audit. Rather, due to truncated response times when the audit begins, failure to respond may actually hurt the covered entity’s ability to respond timely to the questions given that audit responses will be due 10 business days following request. OCR encourages covered entities to review spam filters to determine if the e-mail was caught. However, covered entities should also be warned that the compliance industry suspects the e-mail delivery might trigger phishing scams.

The actual audit protocol is expected to be published shortly. That said, OCR is expected to focus on covered entity compliance with privacy (specifically, compliance with the notice of privacy practices and access requirements), security (specifically, compliance with risk analysis requirements) and breach notification rules. OCR is also anticipated to collect the identity of business associates retained by the audited covered entity.

What should plan sponsors do?

Plan sponsors should ensure that they have not received an audit request, including by checking spam filters. Those that have received an audit request should prepare to respond to the audit, including involvement of legal counsel, applicable consultants and business associates. OCR’s expectation is that plan sponsors are currently compliant and able to respond to the audit in 10 business days. Certain proactive steps can be taken to ensure that OCR’s expectations can be met; however, time is of the essence.

What should business associates do?

Phase II makes it clear that business associates are also in the crosshairs. Moreover, it appears the risk of selection is greater for business associates that serve plan sponsors who have also been selected for audit. It is unclear at this time whether business associates will be selected before the end of Stage 1; however, business associates are well advised to ensure their records are in order.

What if my organization is not selected for a Phase II audit?

Entities not selected for audit should still take the opportunity to review their policies and protocols. Phase II’s processing does not preclude OCR from investigating other complaints and/or conducting other audits of covered entities or business associates.