The OCR recently announced the beginning of the next phase of the HIPAA Privacy, Security, and Breach Notification Audit Program and indicated that it will review the policies and procedures implemented by covered entities and business associates to comply with the HIPAA Privacy, Security, and Breach Notification Rules. During the upcoming months, OCR will contact selected covered entities and business associates by email, informing them of the desk audit and requesting documents and data. Entities will have 10 business days to provide requested information via a new secure audit portal available on the OCR website.

A wide range of covered entities are being identified by OCR to better assess HIPAA compliance across the industry. Covered entities and business associates will be selected based on entity size, affiliation with other healthcare organizations, type of entity and its relationship to individuals, geographic factors, and whether the organization is public or private. OCR indicates that it will not audit an entity that currently has an open complaint investigation or is undergoing a compliance review, according to the OCR. However, if an audit identifies serious compliance issues, OCR may initiate a compliance review of the entity.

Covered entities need to be aware that OCR will contact the covered entity by email to request contact information and to disclose identity of the covered entity’s business associates. If the entity does not respond to OCR’s request, OCR will obtain information that is publicly available. Covered entities that do not complete the requested contact information may still be selected for an audit or subject to a compliance review.

OCR will review the desk audit information and provide a draft report of its findings to the entity. The entity will have 10 business days to review and provide comments to OCR, which will be included in the final report. Thereafter, OCR will complete the final report within 30 business days and provide it to the entity.

Desk audits are slated for completion by the end of December 2016. Although the majority will be desk audits, OCR indicates it will conduct on-site audits, and some desk audits may subsequently become on-site audits. The entity will be notified by email if it is selected for an on-site audit, and OCR estimates the audit will take place over three to five days, depending on the size of the entity. The entity will receive a draft report from OCR, and have 10 business days to review and provide comments, which will be included in the final report. Thereafter, OCR will complete the final report within 30 business days and provide it to the entity.

OCR intends to use the information gleaned from the audits to develop technical assistance and tools to assist entities in achieving compliance and in preventing breaches. OCR will update and post the audit protocol to its website whereby entities can use the tool to conduct their own self-audits.

For information pertaining to areas of compliance concern and a HIPAA Audit Checklist, please refer to our previous blog post: OCR HIPAA Phase 2 Audits Coming Soon. Be Prepared.