Covered Entities and Business Associates may be ringing in the New Year with the prospect of responding to on-site HIPAA audits by federal regulators. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has announced that a certain number of comprehensive on-site HIPAA compliance reviews will be done over the first quarter of next year. Details of these audits are currently being finalized and will be posted on the OCR website in the coming months.
In a departure from the OCR’s Phase I HIPAA Audit Program, OCR staff will conduct the majority of such reviews with limited support from outside contractors. The stated purpose of such audits is to examine existing compliance measures, identify best practices, and discover problem areas likely to surface at a later date in time. OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful. The information gleaned from such audits may result in follow up investigations, fines and sanctions depending upon the severity of violations found. These onsite audits follow the desk audits of 167 Covered Entities that OCR began in July 2016. According to reports, OCR is still reviewing the voluminous documentation submitted in response to that audit. OCR is currently slated to begin desk audits of Business Associates this month. As with the covered entity desk audits, business associates will receive notice by email that they have been selected for a desk audit and will have ten (10) business days to respond to the request for documentation. OCR expects to complete all desk audits for Phase II by December 31, 2016. Entities selected for a desk audit may also be chosen for an onsite audit.
To prepare for either a Phase 2 business associate desk audit or a covered entity onsite audit by OCR, we suggest that immediate consideration should be given to the following: