The U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced on March 21, 2016 that it has officially launched Phase 2 of its Health Insurance Portability and Accountability Act (“HIPAA”) Audit Program. OCR has already begun sending out communications to covered entities and business associates to obtain or verify their contact information.
Once information is verified, OCR will distribute screening questionnaires to gather data about the size, type, and operations of potential auditees. OCR will then create audit pools based on the responses to these questionnaires, and it will select a random sample of covered entities and business associates for desk audits. After desk audits are completed in 2016, OCR may conduct more extensive on-site audits.
Although the audits are designed to improve compliance and assist OCR in developing tools and guidance to assist the industry, OCR may initiate a compliance review to investigate any serious compliance issues revealed during the audit.
With Phase 2 HIPAA Audits underway and an increasing focus on HIPAA compliance in the wake of substantial resolution agreements related to OCR’s compliance investigations, it is critical for covered entities and business associates to ensure that all policies and procedures are updated and compliant with HIPAA rules and regulations.