Physician Practice

Phase two of HIPAA Audit Program begins

Physician Practice Insider, April 5, 2016

Phase two of the Office for Civil Rights (OCR) HIPAA Audit Program is finally underway. On March 21, OCR announced that it will begin verifying the contact information of covered entities (CE) and business associates (BA) selected for audits.

Once an organization’s contact information is verified, OCR will send a pre-audit screening questionnaire. CEs will be asked to submit a list of their BAs as part of the screening questionnaire. Failure to respond to the request for contact information will not exclude a CE or BA from being audited.

OCR plans to select a representational group of CEs and BAs from this initial group to audit, including both small and large healthcare providers, healthcare clearinghouses, and BAs. Both onsite and desk audits will be conducted. The first round of desk audits will target CEs, with desk audits of BAs following in a second round. Desk audits will focus on specific aspects of security, privacy, or breach notification. Organizations selected for desk audits will be notified of the specific subject, or subjects, of their audit in a document request letter. OCR currently forecasts that the desk audits will be completed by the end of the year.

A third group of both CEs and BAs will be selected for onsite audits. Onsite audits will look at a larger range of HIPAA requirements and compliance issues. Some desk audits may be followed by onsite audits.

Organizations selected for audits will be notified via email and, in addition, sent a document request letter. Documents will be requested in electronic format and will be submitted via a secure audit portal on OCR’s website. Organizations should respond to a request for documents within 10 days of the date on the request.

Auditors will share their draft findings with audited organizations, which may submit responses that will be included in the final audit report.

OCR describes these audits as a compliance improvement activity, meant to help it collect and review information to develop tools to help CEs and BAs comply with HIPAA and create more effective corrective actions. However, if a significant compliance issue is discovered during the course of a phase two desk or onsite audit, OCR may open an investigation.

OCR’s last round of HIPAA audits were conducted in 2012 and phase two of the program has been in development since then. The announcement of phase two comes on the heels of a wave of increased activity on HIPAA, including a number of large fines announced since the end of 2015 and the release of revised guidelines and clarification for CEs, BAs, and consumers.

This article was originally published in HCPro’s Revenue Cycle Daily Advisor.

Most Popular