OCR Phase 2 HIPAA Audits: Documentation Requests Issued

The Department of Health and Human Services’ Office for Civil Rights (OCR) has now selected covered entities from its pool of eligible organizations and has chosen 167 for a HIPAA compliance audit. Covered entities selected for a compliance audit have now been notified by email.

Those organizations now have just 10 days to respond to the emails and submit the requested documentation to the OCR.

The audits – which are desk based – have been split between healthcare providers, health plans, and healthcare clearinghouses. The audits are being conducted on a geographically representative sample that includes healthcare organizations of all sizes. Desk audits of HIPAA business associates will follow in the fall.

The desk audits comprise of a documentation check to ensure compliance with the Health Insurance Portability and Accountability Act’s Privacy, Security, and Breach Notification Rules.

Earlier this year the OCR published details of the new audit protocol. The protocol contains a long list of different aspects of HIPAA Rules that could potentially be assessed by OCR auditors. According to a recent notification from the OCR, the desk audit compliance reviews will assess just 7 elements of Privacy Rule, Breach Notification Rule, and HIPAA Security Rule compliance.

Historically, these seven aspects of HIPAA have caused problems for healthcare organizations. The first round of compliance audits in 2011/2012 revealed numerous organizations had failed to comply with these requirements of HIPAA. The OCR’s subsequent enforcement activities have shown that many covered entities have still failed to get to grips with these elements of HIPAA.

The specific aspects of the HIPAA Privacy Rule which are being assessed are:

Privacy Rule: Notice of Privacy Practices & Content Requirements

  • 164.520(a)(1) – Right to notice
  • 164.520(b)(1) – Required elements of the Notice of Privacy Practices

Privacy Rule: Provision of Notice – Electronic Notice

  • 164.520(c)(3) – The requirements for the electronic notice

Privacy Rule: Right to Access

  • 164.524(a)(1) – Access to protected health information
  • 164.524(b)(1) – Individual’s request for access and timely action by the covered entity
  • 164.524(b)(2) – Timely action by the covered entity
  • 164.524(c)(2) – Form of access requested.
  • 164.524(c)(3) – Time and manner of access
  • 164.524(c)(4) – Fees
  • 164.524(d)(1) – Making other information accessible
  • 164.524(d)(3) – Other responsibilities

The specific aspects of the HIPAA Security Rule which are being assessed are:

Security Rule: Security Management Process – Risk Analysis

  • 164.308(a)(1)(ii)(A) – Accurate and thorough organization wide risk assessments

Security Rule: Security Management Process – Risk Management

  • 164.308(a)(1)(ii)(B) – Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level

The aspects of the HIPAA Breach Notification Rule that will be assessed are:

Breach Notification Rule: Content of Notification 

  • 164.404(c)(1) – Content requirements of breach notifications

Breach Notification Rule: Timeliness of Notification

  • 164.404(b) – Timescale for issuing breach notifications

Each covered entity selected for audit has been provided with a link to the OCR’s secure online portal which must be used to submit all the necessary documentation. That process must be completed by July 22, 2016.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.