Phase 2 HIPAA audits have arrived

Last week, The HHS Office for Civil Rights (OCR) kicked-off its long anticipated program of Phase 2 HIPAA Audits of covered entities and their business associates. The process will investigate policies and procedures adopted and employed by these parties to meet standards and specifications of the HIPAA Privacy, Security, and Breach notification rules.

Does this apply to my organization?
Entities and business associates of all sizes and types are eligible to be chosen for desk and/or onsite audits. This includes any individual and organizational health service providers, healthcare clearinghouses, health plans, and any business associates of these.

To get the ball rolling, OCR are currently emailing notification letters to entities and business associates and it is the responsibility of the recipient to respond, so it’s important to keep a close eye on emails and check spam folders over the coming weeks. Full cooperation is expected and failure to comply with this initial contact will not lead to any form of exemption from the audits. A sample copy of the letter can be found here:

Following the notification letter, a pre-audit screening questionnaire will be sent in order to obtain data about the size, type, day-to-day operation, and associated businesses of potential auditees. From this, OCR will select random sample pools to be audited.

What does the audit involve?
OCR have so far confirmed three stages of audit for the second Phase:

  1. Desk audits of covered entities
  2. Desk audits for business associates
  3. Onsite audits

The desk audits will examine specific requirements and are expected to be completed by December 2016, after which onsite audits will commence in order to examine a broader scope of requirements. Although there will be fewer site audits than we saw in the Phase 1 audits of 2011 and 2012, auditees should still prepare for a visit and it’s important to be aware that desk auditees could also be subject to an onsite audit if deemed necessary.

In the coming months, OCR will request information via its online portal from entities which are subject to audit. Action to submit requested information must be taken within ten working days.

For entities selected for onsite audit, auditors will spend between three and five days onsite with the organization, carrying out comprehensive checks.

Auditors will use information to draft a report in which auditees will be given opportunity to respond and contribute.

How can my organization prepare?
It is hoped that all covered entities and business associates have been following updates from OCR on the HIPAA audits and have prepared well in advance for the program.

However, with the Phase 2 audit process officially in place, it is worth refreshing your memory with the following key actions:

  • Prepare your team – As stated above, auditees have just 10 days to respond to document requests from OCR. Ensure a response team and documents are prepared in advance