OCR Begins Phase 2 of HIPAA Audit Program

Spotlight on Shelves with Paper Medical RecordsThe hotly anticipated Phase 2 series of HIPAA privacy and security audits of covered entities’ and their business associates are underway, the US Department Health and Human Services (HHS) Office for Civil Rights (OCR) announced Monday.

This round of audits will “review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules,” according to OCR.

OCR started the audit process by sending e-mail messages or written letters to a broad range of healthcare organizations and business associates to verify their contact information and create a potential pool of candidates to audit. Nearly every type of HIPAA-covered entity or business associate is eligible to be audited. OCR will then send out pre-audit screening questionnaires to gather information as to the size, type, and operations of potential auditees, in addition to asking covered entities for a list of all their business associates. This data will be used with other information to create potential audit subject pools.

OCR will conduct a random sample of entities in the audit pool. Selected auditees will then be notified of their participation. If a covered entity or business associate fails to respond to information requests, OCR will use publically available information about the entity to create its audit pool.  An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review, according to the HHS’ website.

In 2011 and 2012, OCR implemented a pilot audit program to assess the controls and processes implemented by 115 covered entities to comply with HIPAA’s requirements. Drawing on that experience and the results of the evaluation, OCR is implementing phase two of the program, according to HHS’ website.

The Audit Process

Under Phase 2 there will be two rounds of desk audits, wherein organizations chosen for an audit will submit the required documentation to auditors located remotely. The first round will be audits of covered entities, and the second round of desk audits will center on business associates. The plan is to finish both rounds of desk audits by the end of 2016. Auditees will be notified of their selection for a desk audit in the coming months.

Entities selected for an onsite visit can expect the audit to take three to five days to complete, depending on their size. Additionally, onsite audits will take a more detailed look at a wider range of HIPAA requirements than the desk audits. And, as with desk audits, chosen entities will have 10 days to respond to the findings of the audit with comments. Auditors will then have 30 business days to respond to the auditees comments.

After an audit is finished, “OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful. Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches,” OCR said in its statement.

Why Audits are Conducted

Every covered entity and business associate is eligible for an audit. These include covered individual and organizational providers of health services, health plans of all sizes and functions, healthcare clearinghouses, and a range of business associates of these entities, OCR said.

OCR is conducting the audits to see if covered entities and their business associates are properly following the rules and regulations outlined in the HIPAA Privacy, Security, and Breach Notification Rules. “OCR’s audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits,” reads an OCR statement on the audits. “Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches. We will evaluate the results and procedures used in our phase 2 audits to develop our permanent audit program.”

For more information on the audit process, click here for an HHS FAQ.

Click here to see an example of the letters that will be sent out to organizations picked for the auditing process.

Trackbacks/Pingbacks

  1. OCR Cracking Down On Business Associate Security | EMR and HIPAA - […] OCR isn’t just sending out vaguely threatening emails. In March, OCR began Phase 2 of its HIPAA privacy and…
  2. OCR Cracking Down On Business Associate Security | HealthBACON - […] OCR isn’t just sending out vaguely threatening emails. In March, OCR began Phase 2 of its HIPAA privacy and…

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!