Phase 2 HIPAA Compliance Audits Commence

The Department of Health and Human Services’ Office for Civil Rights has announced that the phase 2 HIPAA compliance audits have officially started.

According to the recent OCR announcement, “Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.” The announcement goes on to explain that the process of auditing covered entities allows OCR to “proactively uncover and address risks and vulnerabilities to protected health information.”

Start Date for the Second Phase of HIPAA Compliance Audits

While the audit process has now officially started, covered entities still have some time to get their policies and procedures in order. It will still be some time before the document checks for the 2016 compliance audits actually begin.

OCR-logoThe OCR announcement does not give a start date for the 2016 HIPAA compliance audits, but indicates that the first stage of desk audits will be completed by December 2016.

The date when the first desk audits will actually be conducted was not detailed in the announcement. However, at last week’s PHI Protection Network Conference in Philadelphia, OCR regional manager for the Mid-Atlantic region, Barbara Holland, said the audits would actually start to be conducted in approximately four to six months.

Initially, 150 desk audits will be conducted on healthcare providers and health insurers followed by 50 desk audits on business associates. They will be followed by 50 full audits, 40 of which will be on covered entities and 10 on their business associates. Full audits will involve a site visit.

Today’s official announcement provides further information on the process of selection. The protocol for the phase 2 HIPAA compliance audits will not be released until closer to the actual start date, and will be posted on the OCR website.

Phase 2 HIPAA Compliance Audits Start with the Creation of a Subject Pool

Initially, OCR is sending out emails to covered entities and their business associates in an attempt to verify contact information. The emails are being sent to the contact OCR has on file as being responsible for HIPAA compliance at each organization.

Each organization has 14 days to respond to the email and confirm that the information is correct, and if not, to supply up to date contact information. Failure to respond to the email request will not prevent covered entities from being selected for audit. OCR expects covered entities to regularly check spam and junk folders for email correspondence from OCR.

Following the process of verification, OCR will send out pre-screening questionnaires to gather further information about each entity, including the size of each organization and the nature of healthcare operations performed. Each covered entity will also be asked to provide details of current business associates, and these will form the pool for the 50 desk audits that will be conducted on business associate audits after the initial stage of audits on covered entities.

After the data from the pre-screening questionnaires have been collated and analyzed, OCR will select a geographically representative sample for the desk audits, taking into account the size of an organization, its functions, and affiliation with other entities. The aim is to audit a broad spectrum of covered entities.

The only organizations exempt from audits are those currently involved in a compliance review and any organization that has a current complaint against it still open.

After the desk audits have been conducted, OCR will move on to the third round of audits which will involve site visits. If an entity is selected for a desk audit, it does not mean that a full compliance audit will not be conducted.

The aim of the audits is to gather information to help OCR prepare future guidance and to better target its technical assistance to specifically address aspects of non-compliance and areas of confusion about HIPAA Rules. The results of the audits will also be used by OCR to develop a permanent audit program.

If serious HIPAA violations are discovered they may result in further investigation of a covered entity to determine the extent of non-compliance. While the audits are intended to be a fact finding mission, civil monetary penalties may be appropriate if organizations are discovered to have willfully disregarded HIPAA Rules.

Further information on the audit process has now been posted on the OCR website, and can be viewed on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.