The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) began a pilot program in 2012 to assess the procedures implemented by covered entities to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA). OCR evaluated the effectiveness of the pilot program and then announced Phase 2 of the program on March 21, 2016. Phase 2 Audits focus on the policies and procedures adopted by both covered entities and business associates to ensure they meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. Covered entities include health plans, health care clearinghouses, and health care providers; whereas, business associates include anyone handling health information on behalf of a covered entity.
Phase 2 Audits of business associates focus on risk analysis, risk management, and reporting of HIPAA breaches to covered entities. OCR emphasizes the importance of audits as a compliance improvement activity in order to identify best practices and proactively uncover and address risks and vulnerabilities to protect health information (PHI).
OCR chose entities to audit through random sampling of the audit pool. Communications from OCR were sent via email, so it is important to check spam filters and junk emails for communications from OSOCRAudit@hhs.gov. OCR emailed a notice to verify contact information. Once the contact information was verified, OCR emailed a pre-audit questionnaire to gather data about size, type, and operations of the entity. This data was used with other information to develop pools of potential covered entities for making audit selections.
Phase 2 Audits consist of three sets of audits. The first set of audits will be desk audits of covered entities and the second set of audits will be desk audits of business associates. These audits will examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules and covered entities will be notified of their audit in a document request letter. All desk audits in this phase will be completed by the end of December 2016. OCR will select entities and request they electronically submit documentation within 10 days. The third set of audits will be onsite and examine a broader scope of requirements from HIPAA Rules.On July 11, 2016, 167 covered entities were notified that they were selected for a desk audit. Desk audits of business associates will begin this fall. Download the complete Compliance Advisor, “HIPPA Phase 2 Audits” for best practices for covered entities facing desk or field audits.