The Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) has finally announced it is starting Phase 2 of its audit program. OCR previously conducted a pilot audit of 115 Covered Entities in 2011-2012 to assess controls and processes. Building on that experience, OCR will target approximately 200 Covered Entities and Business Associates in Phase 2. Here is what entities can expect:
What: The audits will largely be “paper” reviews of policies and procedures, but will also include some on-site visits. OCR indicates that it is “enhancing” its prior audit protocol, which OCR has already edited, based on changes in the Omnibus Rule. OCR will first conduct desk audits of Covered Entities followed by a second round of desk audits for Business Associates (though these audits may also include site visits). A third set of audits will be conducted primarily onsite and will consider a broader range of issues than covered with the desk audits. Some entities subject to a desk audit will also receive an onsite audit. The audits will cover HIPAA only, not state privacy and security rules.
How: If selected for a desk audit, the timeline will generally be: (1) entities have 10 business days to provide requested documents electronically through a secure portal; (2) OCR will prepare draft findings; (3) auditees will have 10 business days to review and return written comments to OCR regarding the draft findings; and (4) OCR will complete a final audit report within 30 days of receiving comments back from the auditee. Onsite audits will be more comprehensive than desk audits and will typically last 3-5 days. In Phase 1 of the audit program, OCR typically provided 30-90 days advanced notice, but has not indicated how much notice will be provided for Phase 2. Like desk audits, onsite auditees will have an opportunity to respond to OCR’s preliminary findings before a final report is prepared.
When: Preliminary communications (via email and mail – see a sample) requesting Covered Entities and Business Associates to provide contact information to OCR were distributed on March 21, 2016. That communication requests entities to respond within 14 days with correct contact information, but notes that the failure to respond will not shield an organization from being selected for an audit. Next, OCR will distribute a “pre-audit questionnaire.” That questionnaire will seek information about the organizations to develop “pools” of Covered Entities and Business Associates so that OCR can audit a wide range of entities. Entities selected for an audit will be sent an email notification of their selection and will be asked to provide documents and other data in response to a document request letter. OCR suggests that desk audits will start “in the coming months” and finish by December 2016, and that the onsite audits will commence later this year.
Who: OCR will select a range of different Covered Entities and Business Associates and will consider a number of factors including: size, types and operations of potential auditees, affiliation with other healthcare organizations, the entity’s relationship to individuals, whether the entity is public or private, geographic factors, and present enforcement activity with OCR. Importantly, OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.
Why: OCR indicates that the audits will “primarily” be used to understand compliance efforts, develop technical assistance, identify the types of corrective action that would be most helpful, and develop tools and guidance to help the industry with compliance, self-evaluation, and breach prevention. However, OCR reserves the right to initiate a compliance review to investigate any serious compliance issues that it uncovers during the audits.
The upcoming audits will likely provide extra incentive to Covered Entities and Business Associates to continue evaluating HIPAA compliance and make any necessary changes to policies and procedures.