On March 21, 2016, OCR finally announced Phase Two of its HIPAA Audit program (short version in the presser). Phase 1, you may recall, kicked off in 2011 and consisted of 115 audits of covered entities. OCR has had some hiccups along the way, but is now just about ready to roll out a broader program. While these publications are framed as kickoff announcements, the actual kickoff is not quite here yet. OCR is still developing enhanced protocols for these audits (which will be posted online “closer to conducting the 2016 audits”). In Phase 2, OCR will be auditing both covered entities and business associates, and it will be experimenting with desk audits.
Update 4/8/2016: Here is the HIPAA Phase 2 Audit Protocol and more information.
While the results of an audit that identifies compliance issues could be quite severe, OCR continues to treat its enforcement efforts as
an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches. OCR will broadly identify best practices gleaned through the audit process and will provide guidance targeted to identified compliance challenges.
The aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules. Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful. Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.
See, they just want to help ….
In Phase 1, virtually all audit targets were found to be out of compliance in at least some respects.
OCR is in the process of verifying contact info for covered entities and business associates, and is putting the regulated community on notice to check spam filters, because they will be sending audit notices via email.
As has been said before by OCR representatives, the agency will be asking covered entities for lists of their business associates, with contact info, so it would be a good idea for covered entities to pull together lists of business associates (this is information that should be easily accessible in any case). OCR will randomly select covered entities and business associates for audit.
The plan is to conduct two sets of desk audits, one of CEs and one of BAs, to be completed by December of this year. These will be focused on specific requirements of the Privacy, Security or Breach Notification Rules, and the audit subjects will be notified of the scope in the notification letter. Desk audit subjects will be asked to submit documents though a secure online portal within ten business days of the request.
The third set of audits will be performed onsite and will be broader in scope. Some lucky CEs and BAs will have the pleasure of both desk audits and field audits.
There’s opportunity to review and comment on audit reports before they are finalized.
If an audit reveals a “serious compliance issue,” OCR may investigate further.
Audit reports will not be listed or posted automatically, but audit notification letters, completed reports and other materials will be subject to FOIA rules.
Obviously, the audit program will not reach all members of the regulated community, and OCR has not announced how many CEs and BAs the office intends to audit. The OCR complaint investigation apparatus will not grind to a halt while these audits get underway, so all members of the regulated community should of course remain actively engaged in continuing their HIPAA compliance efforts.
For those who have not put a HIPAA compliance program in place, or who may need to review business associate agreements and policies and procedures, or conduct or update risk assessments … act now!