The Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced it has begun Phase 2 of HIPAA audit. OCR has begun releasing initial emails looking for contact information to identify covered entities and business associates of various types. Once contact information is obtained, OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations, which will be used to create the pool used to select who will be audited.
On the HHS website, OCR warns that “communications that come from OCR will be sent via email and may be incorrectly classified as spam. “If your entity’s spam filtering and virus protection are automatically enabled, we expect you to check your junk or spam email folder for emails from OCR; OSOCRAudit@hhs.gov.” A sample email is available.
If OCR’s does not receive a response to the request to verify its contact information or pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool. Further, failure to respond to OCR’s request may still trigger an audit or a compliance review.
HHS has prepared FAQs on its website that addresses who will be audited, how you are selected for an audit, how the audit process works and more. According to OCR, audits will primarily be desk audits, although some on-site audits will be conducted.
According to the HHS website: “In the coming months, OCR will notify the selected covered entities in writing through email about their selection for a desk audit. The OCR notification letter will introduce the audit team, explain the audit process and discuss OCR’s expectations in more detail. In addition, the letter will include initial requests for documentation. OCR expects covered entities that are the subject of an audit to submit requested information via OCR’s secure portal within 10 business days of the date on the information request. All documents are to be in digital form and submitted electronically via the secure online portal.
After these documents are received, the auditor will review the information submitted and provide the auditee with draft findings. Auditees will have 10 business days to review and return written comments, if any, to the auditor. The auditor will complete a final audit report for each entity within 30 business days after the auditee’s response. OCR will share a copy of the final report with the audited entity.
While conducting desk audits of covered entities, OCR will replicate the notification and document request process for initiating desk audits of selected business associates. OCR will share a copy of the final report with the audited business associate.
Similarly, entities will be notified via email of their selection for an onsite audit. The auditors will schedule an entrance conference and provide more information about the onsite audit process and expectations for the audit. Each onsite audit will be conducted over three to five days onsite, depending on the size of the entity. Onsite audits will be more comprehensive than desk audits and cover a wider range of requirements from the HIPAA Rules. Like the desk audit, entities will have 10 business days to review the draft findings and provide written comments to the auditor. The auditor will complete a final audit report for each entity within 30 business days after the auditee’s response. OCR will share a copy of the final report with the audited entity.”
The 2016 Phase 2 HIPAA Audit Program will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.