On March 21, 2016, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that it has begun its phase 2 Health Insurance Portability and Accountability Act (“HIPAA”) audit program. In 2011 and 2012, OCR conducted a pilot audit program (the phase 1 audit) to assess the controls and processes that 115 covered entities implemented in order to comply with HIPAA.
In the phase 2 audit, the OCR will review policies and procedures implemented by covered entities and business associates to comply with selected standards and requirements of the Privacy, Security, and Breach Notification Rules. Every covered entity and business associate is eligible for an audit. Most of these audits will be desk audits. However, the OCR intends to conduct some on-site audits as well.
The audits are designed for OCR to uncover and address risks and vulnerabilities to protected health information. The intent of the audits is to increase awareness of the HIPAA compliance obligations and to enable OCR to better target technical assistance regarding issues identified through the audits. In addition, OCR will develop tools and guidance to assist covered entities and business associates with their compliance self-evaluations and in the prevention of breaches. However, should an audit reveal significant compliance issues, then OCR may conduct a compliance review and further investigate the matter.
OCR published on its website a summary of the phase 2 audit program and the answers to questions regarding the audit process. This publication may be accessed via this link. Now is the time to confirm that your HIPAA compliance program is up to date.
