The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced the long-awaited launch of Phase 2 of its HIPAA Audit Program (Phase 2 Audits). The Phase 2 Audits will review the policies and procedures used by covered entities and their business associates to meet certain selected standards and implementation specifications of the HIPAA Privacy, Security and Breach Notification Rules.
Phase 2 Audit Program Timeline
Contact Information Confirmation
OCR is contacting potential audit targets via email only. Hard copy letters will not be used. OCR also indicated that their initial email may be classified as junk by some virus protection and spam filters. Covered entities and business associates are expected to check their spam/junk email folders regularly for emails from OSOCRAudit@hhs.gov or to revise their email filters to accept those emails. A sample initial contact letter is linked here.
Audit Pre-Screening Questionnaire
Once contact information is confirmed, OCR will send a questionnaire designed to gather information about the size, entity type and operations of potential auditees. That information will be used to develop pools of potential audit targets, but receipt of a questionnaire does not indicate that any particular entity will be selected for audit.
Covered entity audit targets will be asked to provide a list of their business associates. While OCR has not indicated the timeframe for providing the list, based upon the deadlines for other stages of the audit process, OCR is likely to expect a covered entity to provide the list within a relatively short timeline.
If an entity does not respond to OCR's request for information, OCR will use publicly available information to develop the audit pool. Failure to respond to OCR does not exempt an entity from possible audit. We strongly encourage all entities to respond promptly to all audit-related emails.
Rounds 1 and 2: Desk Audits
The first two rounds of Phase 2 Audits will be desk audits. Round 1 will target covered entities and Round 2 will target business associates. Entities will be randomly sampled from the audit pool, presumably adjusted to achieve a range of entity types, sizes and functions. OCR expects that Rounds 1 and 2 will be completed by the end of this year.
The desk audits will focus on compliance with specific requirements of the HIPAA Privacy, Security and Breach Notification Rules. Once an entity is selected for audit, it will be notified by email. The email will include the subject, or subjects, of the audit and a request for documents. Documents must be uploaded electronically to a new OCR secure audit portal within 10 business days after the date of the document request.
OCR will review the materials submitted, prepare written findings and share a draft of the audit report with the target. The target then has 10 business days to provide a written response, which will be included in the final report. Within 30 business days after receiving the target’s comments, the auditor will complete a final audit report. The final report will be shared with the audit target. OCR has indicated it will not publicly share a list of audited entities or reports in which the auditee is clearly identified. They will, however, respond appropriately to Freedom of Information Act, or FOIA, requests.
Round 3: Onsite Audits
The third and final round of the Phase 2 audits will be conducted onsite by OCR personnel. OCR will notify selected entities by email and will schedule an entrance conference as well as provide information about the onsite audit process and OCR's expectations for the audit. Round 3 audits are expected to last three to five days onsite, depending on the size of the entity. Although some targets of desk audits may be selected for onsite audits, there seems to be the possibility that some targets will be selected for onsite audits only.
The onsite audits will be more comprehensive and cover a broader range of the HIPAA Privacy, Security and Breach Notification Rules as compared to desk audits. Once the onsite audit is complete, the auditors will provide draft findings, and the audit target will have 10 business days to provide written comments. Within 30 business days of receipt of the target’s comments, the auditors will finalize the written report.
OCR stated in the announcement that audits are primarily a "compliance improvement activity," which in the past has meant that OCR does not intend to assess penalties based on audit results. However, OCR also stated that identification of a compliance issue may trigger a compliance review or further investigation of the audit target. OCR plans to analyze the audit results and use that information to develop tools and guidance to assist in compliance self-evaluation, identify best practices and promising practices, and determine the most helpful types of technical assistance and corrective action.
Covered Entities and Business Associates Are Eligible for Audit
Unlike Phase 1 Audits, which only included covered entities, Phase 2 Audits will also include business associates. Both covered entities and business associates are eligible for desk audits and/or onsite audits. This means that covered individual and organizational providers of health services, health plans of all sizes and functions, healthcare clearinghouses and business associates of such entities should be prepared to respond to a pre-screening questionnaire and for a possible audit.
OCR has stated that it will not audit entities that have an open complaint investigation or that are currently undergoing a compliance review. In addition, all compliance requirements remain in full effect regardless of audit selection status, and OCR will continue to monitor compliance and respond to and investigate complaints regarding HIPAA Privacy, Security and Breach Notification Rules. It is not clear what will happen if an auditee becomes subject to an investigation or compliance review during the course of an audit.
What to Do Now to Prepare
To prepare for a potential audit, covered entities and business associates should do the following:
While we recommend covered entities and business associates review their compliance protocols on a regular basis, entities eligible for Phase 2 Audits should take the time now to ensure their systems, policies and implementation procedures are up-to-date and properly documented. Given the short timeline for Phase 2 Audits, once a target receives a notice of audit selection, it will likely be too late to bring its procedures into compliance with HIPAA Privacy, Security and Breach Notification Rules.