It Pays to be Ready: HIPAA Phase II Audits Underway Now

Written by: Patrick Powell, Esq.

On March 21, 2016, the HHS Office for Civil Rights (“OCR”) officially launched Phase 2 of the HIPAA Audit Program.  Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails from OCR beginning the audit process.

The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) requires OCR to periodically audit both Covered Entities and Business Associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules.  OCR conducted Phase 1 audits in 2011 and 2012.  The Phase 1 audits only examined Covered Entities and the results were generally disappointing.  OCR is now proceeding with Phase 2.

OCR will conduct both desk audits and on-site audits of Covered Entities and Business Associates.  The first round of audits will be for Covered Entities with a second round for Business Associates.  Desk audits are supposed to be completed by December 2016.  Entities selected for audits will be notified via email and will have 10 business days to submit requested information to OCR through an online portal.  Auditors will share draft audit reports with audited entities, allowing them 10 business days to review the draft report.  A final report will be shared with the entity.

For those entities subject to on-site audits, auditors will spend between three and five days on-site with the organization.  OCR describes the on-site audits as “more comprehensive” and “covering a wider range of requirements from the HIPAA Rules.”  Finally, audits that uncover serious issues may trigger an OCR compliance review in addition to the audit.

When OCR knocks on your door, asking about HIPAA compliance, it pays to be ready.  OCR is looking to audit providers ranging from large to small, and across a wide geographical distribution.  According to Linda Sanches, OCR’s senior advisor for health information privacy, the best piece of advice about preparing for audits is to actually be in compliance and to conduct a comprehensive risk analysis.  “If you don’t do periodic risk analysis,” Sanches stated, “you won’t know where you” stand.

Ms. Sanches went on to say “[t]he onus is on you to prove you had the proper systems in place.”  “If you did a comprehensive risk analysis and took the necessary steps, that’s what you need to show us” said Sanches.

What to do Today

Hopefully your organization has been following the regular updates from OCR.  But in case you need a refresher, some key to-do items from the National Law Review are listed below:

  • Ensure that OCR’s emails are not being routed to your spam or junk email folder. OCR has stated it will be sending audit related emails and that it expected Covered Entities and Business Associates to check spam and junk mail folders for correspondence from the agency.  Failure to respond to OCR’s emails won’t get an entity off the hook for an audit; the agency plans to use publicly available information about entities that do not respond and include them in the audit pool.
  • Prepare a list of your business associates. In the pre-audit screening process, OCR will ask for a list of business associates.  The agency encourages Covered Entities to prepare a list in advance for responding to this request.
  • Review the Phase 1 Audit Protocol. OCR has not yet posted updated audit protocols for Phase 2, but the Phase 1 audit protocol remains available on the OCR website.  Even if your organization is not selected for an audit, working through the protocol is a great way to evaluate your compliance.
  • Ensure you have an audit response team ready. As noted above, Covered Entities and Business Associates will have only 10 business days to respond to OCR’s request for documentation.  They will also have only 10 business days to review the auditor’s draft findings.  Assemble your audit team (and your documents) in advance.
  • Review the audit information on OCR’s website.

The attorneys of Hall Booth Smith, P.C. are available to provide results driven solutions to your data privacy and security needs, including HIPAA compliance in preparation for the OCR audits.  As noted above, time is of the essence.

If you have compliance needs or questions or wish to confirm your HIPAA policies, procedures, and documentaiton will be approved should your facility be audited, please contact Patrick C. Powell at ppowell@hallboothsmith.com or by telephone at 912-554-0093.