LawFlash

OCR Launches Phase 2 of HIPAA Audits

March 24, 2016

Five suggested steps healthcare organizations and their contractors should take to prepare.

On March 21, the Office of Civil Rights (OCR) of the Department of Health and Human Services launched Phase 2 of the HIPAA Audit Program. The audits are intended to determine if healthcare organizations and their contactors are complying with the Health Insurance Portability and Accountability Act’s (HIPAA’s) Privacy, Security, and Breach Notification Rules. According to OCR, the audits are also intended to help it get out in front of potential problems and better direct its guidance to address issues currently affecting the confidentiality and security of protected health information (PHI).

Why Audits?

The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) requires OCR to periodically audit covered entities and business associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR conducted Phase 1 audits in 2011 and 2012, which focused solely on covered entities. After many delays, OCR is now proceeding with Phase 2 audits, which will include both covered entities and business associates.

When Will the Audits Occur?

Phase 2 will consist of approximately 200 desk and on-site audits. Desk audits, which focus on document review, will make up the majority of the audits and will consist of two rounds. The first round of desk audits will center on covered entities, and the second round will focus on business associates. The desk audits are expected to be completed by December 2016. The third round of audits will be on-site and will begin later in the year. An entity that is subject to a desk audit may also have to undergo an on-site audit.

How Will the Audits Work?

OCR is sending emails to select covered entities and business associates asking them to verify their contact information. These entities will then receive a “pre-audit questionnaire” that requests details about their business size, type, and operations. From there, OCR will create a pool of audit targets that represents a wide range of covered entities and business associates in terms of size, sectors, and geographic location.

Entities selected for a desk audit will be notified by email and will be asked to provide documents and other data. The desk audits will focus on compliance with particular provisions of the HIPAA Privacy, Security, and Breach Notification Rules, such as risk analyses, notices of privacy practices, and response to requests for access to PHI. Audit subjects will have 10 business days to submit the requested information to OCR through an audit-specific portal on OCR’s website. OCR will then review the documentation and develop draft findings. Auditors will share their findings with the audited entities, allowing them 10 business days to respond. The written responses will be included in the final audit report, which also will be shared with the audited entity.

Similarly, entities will be notified by email of their selection for an on-site audit. On-site audits will be conducted over three to five days (depending on the size of the entity) and will be more comprehensive and have a broader focus on HIPAA requirements. Like the desk audit, entities will have 10 business days to review the draft findings and provide written comments to the auditor. OCR will share a copy of the final report with the audited entity.

Audits that uncover serious issues may trigger an OCR compliance review in addition to the audit.

OCR will not post a list of audited entities or the findings of an individual audit that clearly identifies the audited entity. However, under the Freedom of Information Act (FOIA), OCR may be required to release audit notification letters and other information about these audits in response to a FOIA request.

What Can Be Done Now To Prepare?

OCR stated that it will post protocols for the Phase 2 audits on its website soon. In the interim, covered entities and business associates should strongly consider taking the following steps now to make sure they are prepared if selected for a Phase 2 audit:

  • Ensure that OCR’s emails are not being routed to a spam or junk email folder. OCR stated that it will be sending audit-related emails from OSOCRAudit@hhs.gov, and that it expects covered entities and business associates to check spam and junk mail folders for correspondence from the agency. OCR also plans to use publicly available contact information about entities that do not respond to OCR’s emails and include them in the audit pool.
  • Prepare a list of business associates. OCR will ask for a list of business associates as part of the pre-audit screening questionnaire. Covered entities should prepare such a list in advance, including contact information and the nature of the services that the business associates provide.
  • Review compliance with the substantive areas expected to be a focus of Phase 2 audits. Covered entities and business associates can evaluate their compliance with HIPAA’s Privacy, Security, and Breach Notification Rules by ensuring that they have adequately addressed the following: (1) periodically conducting a HIPAA Security Rule risk analysis; (2) developing HIPAA policies and procedures; (3) developing breach notification procedures; (4) implementing an updated Notice of Privacy Practices that reflects HIPAA Final Rule modifications; (4) encrypting laptops and other devices containing PHI; (5) maintaining an inventory of information system assets (e.g., mobile devices); (6) implementing a physical security plan for each location that maintains PHI; (7) periodically training staff on HIPAA privacy, security, and breach response policies; and (8) providing timely access to PHI to patients requesting access.
  • Identify your audit response team and ensure that it is ready. Covered entities and business associates will only have 10 business days to respond to OCR’s request for documentation and 10 business days to review the auditor’s draft findings.
  • Consider performing a data mapping exercise. Identifying the locations where PHI is maintained in the organization and tracking data flows—both within the organization and with third parties—can help identify weak points in a HIPAA compliance program.

Even if a covered entity or business associate is not selected for a Phase 2 audit, the exercise of preparing for one can be helpful in reducing HIPAA compliance risk and preparing the organization in the event of an OCR investigation.

Upcoming Morgan Lewis Webinar

For additional information on this topic, a webinar titled “OCR Launches HIPAA Phase 2 Audits: Are You Prepared?” will be held on April 5 at 12:00 pm ET. Register for the webinar.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

San Francisco
Reece Hirsch
Nicole Sadler

Chicago
Saghi Fattahian

Philadelphia
Georgina L. O’Hara