OCR Phase 2 Audit Program Underway

The US Department of Health and Human Services, Office for Civil Rights (OCR) announced Monday that it has started Phase 2 of the HIPAA Audit Program that will lead to hundreds of reviews of covered entities and business associates.

Over the next seven months OCR will be conducting limited scope desk audits of about 200 covered entities (CE) and business associates (BA). The agency said that it will also perform 24 on-site, comprehensive audits. According to OCR, most of the CE audits will be “desk audits,” requiring organizations to submit documentation demonstrating that they have policies and processes in place that meet HIPAA requirements. OCR will also conduct some comprehensive, on-site audits in this round of audits.

OCR’s rollout of Phase 2 of the OCR audit program is starting just as expected. OCR has sent communications via postal mail and email to identify and verify contact information of the designated privacy and security officials of HIPAA covered entities. Covered entities that have received these communications are asked to provide the information sought through an Internet portal maintained by OCR within two weeks of receipt of the request. This activity tracks with how the agency had said that it would initiate the audit program. 

Sometime in April, OCR is expected to follow with a second communication to these covered entities that they are seeking information about the types of services the organization provides, the size and complexity of the covered entity and their use of health IT. These surveys will be used by OCR to develop a diverse group of organizations for selection and participation in audits to be conducted this year.    

What OCR Will be Looking For

While OCR’s audit protocol has not been finalized, the agency has identified areas where it intends to focus its attention:

  • Privacy Rule compliance — how healthcare providers and health plans are meeting Privacy Rule requirements for notices of privacy practices and how providers are handling patient’s right to access Protected Health Information (PHI), and to receive an electronic copy    
  • Security Rule compliance — policies and procedures for risk analysis of the safeguards protecting information systems that handle e-PHI, as well as the organization’s mitigation plan to address gaps identified through the assessment
  • Breach Notification Rule compliance — whether an unauthorized use or disclosure of PHI is reportable under the Breach Notification Rule, as well as processes for making required notifications if a breach occurs

How to Prepare

Healthcare provider practices, health plan administrators and business associates should prepare now so they’re ready if they are selected for a desk audit:

  • Review OCR’s audit protocol as well as the HIPAA and HITECH regulations
  • Make sure you have the latest guidelines, policies, and procedures in place
  • Ensure you have access to all required audit documentation and clearly understand the submission process
  • Consider conducting a mock audit (either by internal staff or by a third-party specialist) to make sure you’re prepared for the real thing

OCR has posted a notice on its website regarding Phase 2 of the audits. It includes program background information, FAQs and a sample of the address verification communication. Click here to view it.

If you have any questions about the audit program or want to know more about our mock audit services contact us at info@cynergistek.com.

March 22nd, 2016|

About the Author:

David Holtzman
Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.