On March 21, 2016, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced the launch of its Phase 2 HIPAA compliance audits pursuant to which it will audit covered entities and business associates for compliance with selected requirements of the HIPAA privacy, security and breach notification rules.  Phase 2 follows an initial pilot phase and a report issued by the HHS Office of Inspector General (“OIG”) recommending that OCR “fully implement a permanent audit program.”  HIPAA covered entities and business associates should have compliance documentation at the ready so that they can, if audited, comply with audit requests with short turnaround times.

The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), enacted in 2009, required among other things that HHS perform periodic audits of covered entities and business associates for compliance with the HIPAA privacy and security rules.  In 2011, OCR established a pilot audit program to serve as the basis for ongoing audit efforts in compliance with the HITECH Act.  This Phase 1 audit program led to the audit of 115 covered entities and was completed in December 2012.  Phase 1 did not include the audit of business associates. 

OCR initially announced that it would begin Phase 2 audits in 2014 but was forced to delay the Phase II launch due to a lack of funding.  In September 2015, the HHS OIG issued a report calling for stronger HIPAA oversight by OCR and recommending that OCR fully implement a permanent audit program. 

The Phase 2 audit program has the following features:

  • Every covered entity and business associate is eligible for an audit.  
  • OCR has sent e-mails to a number of covered entities and business associates to begin to verify contact information and determine which are appropriate to be included in potential auditee pools.  OCR has advised HIPAA-regulated entities to check their junk or spam email folders for emails from OCR.  Entities that do not respond to OCR may still be subject to an audit or compliance review.
  • OCR next will send pre-audit screening questionnaires to potential auditees.  The questionnaires will among other things ask entities to furnish a list of their business associates.
  • Audits will consist of three rounds of desk and onsite audits.
  • The first round of audits will be desk audits of covered entities followed by a second round of desk audits of business associates.
  • All desk audits will be completed by OCR by the end of December 2016.
  • The third round of audits will be onsite and will examine a broader scope of HIPAA requirements than the desk audits.  Some desk auditees may be subject to a subsequent onsite audit.
  • For desk audits, audit subjects will have 10 business days to provide OCR with the requested audit information, after which OCR will furnish draft audit findings.
  • Desk audit subjects will then have 10 business days to provide OCR with a response to the draft audit findings.
  • Desk audits will be completed by OCR within 30 business days after the auditee’s response to the initial findings.
  • Onsite audits will take place over 3-5 days depending on the size of the entity.
  • Like desk audits, entities will have 10 business days to respond to draft findings, and the final audit report will be completed 30 business days after that.
  • Although audits are viewed by OCR primarily as a compliance improvement activity, should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate.
  • While OCR will not post a listing of audited entities or findings, OCR may be required to release such information under the Freedom of Information Act.

Covered entities and business associate should not underestimate the challenge of responding to a desk audit in 10 business days and should not expect to have access to OCR staff to ask questions about the audit request.  Accordingly, HIPAA-regulated entities must get their compliance documentation in order now so that it may be produced quickly upon receipt of an audit request.  Key documentation includes at a minimum policies and procedures, risk assessments and related remediation, potential breach analysis, business associate contracts and workforce training and awareness.  As an initial preparatory step, entities should prepare a list of their business associates, which will be requested by OCR from all covered entities as part of the pre-audit screening questionnaires.

The OCR press release announcing Phase 2 of the HIPAA Audit Program, with a link to more comprehensive information, can be found here.  The September 2015 OIG report can be found here.   

Reporter, Stephen Abreu, San Francisco, CA, +1 415 318 1219, sabreu@kslaw.com