On March 21, 2016, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced the launch of its Phase 2 HIPAA compliance audits pursuant to which it will audit covered entities and business associates for compliance with selected requirements of the HIPAA privacy, security and breach notification rules. Phase 2 follows an initial pilot phase and a report issued by the HHS Office of Inspector General (“OIG”) recommending that OCR “fully implement a permanent audit program.” HIPAA covered entities and business associates should have compliance documentation at the ready so that they can, if audited, comply with audit requests with short turnaround times.
The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), enacted in 2009, required among other things that HHS perform periodic audits of covered entities and business associates for compliance with the HIPAA privacy and security rules. In 2011, OCR established a pilot audit program to serve as the basis for ongoing audit efforts in compliance with the HITECH Act. This Phase 1 audit program led to the audit of 115 covered entities and was completed in December 2012. Phase 1 did not include the audit of business associates.
OCR initially announced that it would begin Phase 2 audits in 2014 but was forced to delay the Phase II launch due to a lack of funding. In September 2015, the HHS OIG issued a report calling for stronger HIPAA oversight by OCR and recommending that OCR fully implement a permanent audit program.
The Phase 2 audit program has the following features:
Covered entities and business associate should not underestimate the challenge of responding to a desk audit in 10 business days and should not expect to have access to OCR staff to ask questions about the audit request. Accordingly, HIPAA-regulated entities must get their compliance documentation in order now so that it may be produced quickly upon receipt of an audit request. Key documentation includes at a minimum policies and procedures, risk assessments and related remediation, potential breach analysis, business associate contracts and workforce training and awareness. As an initial preparatory step, entities should prepare a list of their business associates, which will be requested by OCR from all covered entities as part of the pre-audit screening questionnaires.
The OCR press release announcing Phase 2 of the HIPAA Audit Program, with a link to more comprehensive information, can be found here. The September 2015 OIG report can be found here.
Reporter, Stephen Abreu, San Francisco, CA, +1 415 318 1219, firstname.lastname@example.org