HIPAA Phase 2 Audit Protocol Released; More Details Emerge

The long-awaited HIPAA Phase 2 audits draw ever nearer, and more information is now available about timing and content. Here are some resources:

• The revised HIPAA Audit Protocol is posted. While comments are invited, it is now clear that OCR will not be reviewing comments and then finalizing the protocol; this is the final version.
• OCR posted a pre-screening questionnaire. This questionnaire is being sent out to covered entities and business associates, and OCR will select parties to audit from this pool.
• OCR has also posted a sample template to be used by covered entities contacted by OCR as potential audit targets to identify their business associates.

Deven McGraw, Deputy Director of Health Information Privacy at OCR, said in an interview that

OCR plans to conduct this year about 200 remote desk audits focusing on compliance with only a small subset of HIPAA requirements and 10 to 25 “full scale audits” that will involve onsite visits.

Thus, while the Phase 2 audit protocol is more comprehensive than the Phase 1 protocol, just a fraction of it will be deployed in each of the desk audits. OCR experience with Phase 2 will inform development of the “permanent” audit program.

More recently, McGraw “announced at an event that covered entities would receive letters about desk audits in May, while business associates will receive such letters in June or July.”

While the number of covered entities and business associates to be audited in this round is tiny, relative to the size of the regulated community, it is worth noting that data breaches have been in the news — and these likely barely scratch the surface of the exposure that covered entities and business associates have to privacy and security risks. It is always a good time to ensure that HIPAA compliance plans and their implementation are up to snuff.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting