The Department of Health and Human Services’s Office for Civil Rights (OCR) announced last week that it has launched Phase 2 of its HIPAA Audit Program. Under this Audit Program, OCR will review whether entities subject to the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Data Breach Notification regulations are complying with those regulations.  OCR has already begun to send initial emails to “covered entities” and “business associates” (defined in the HIPAA regulations) regarding the audits that seek to verify contact information.

Tip:  These emails may be incorrectly classified as spam by corporate or email filters.  OCR expects covered entities and business associates to check spam and junk email folders for emails from OCR.

Warning:  Sophisticated cybercriminals could use the OCR audits as an opportunity to send fake OCR emails (“phishing emails”) in an attempt to trick employees into turning over individual health information or to click on links that download harmful malware into the organization’s computer network.  Do not click on links or supply any documentation until confirming that the email is legitimate.   An example of a sample OCR email letter is available at the OCR link above or click here.  The OCR email includes an email address to which questions regarding the message,  including verification of whether the email received is from OCR, may be directed.

Tip:  More than one person in an organization may receive an email about the audit program from OCR.  Decide who will be the primary contact for an OCR audit so that everyone can respond consistently to OCR with that information and make sure persons in the organization know to whom they should report any OCR inquiries.

Who will be audited?  Covered entities including providers, health plans (including employer-sponsored health plans), health care clearinghouses, and business associates of these entities—approximately 200 total audits are anticipated.  (For additional information on who is a covered entity or business associate, click here).  Auditees will be selected based upon responses to the initial emails and follow-up questionnaires, but may also be chosen from the pool of persons and entities who never responded to OCR audit emails.  The audits will take into account the size, location and type of entity (including public/private status) and affiliations with other healthcare organizations.  Entities that have an open complaint investigation or that are currently undergoing a compliance review will not be audited.

How does the selection process work?  Once contact information is obtained, a questionnaire designed to elicit information about the size, type and operations of potential auditees will be sent to covered entities and business associates.  Make sure to emphasize if the organization is part of a large system or if it has recently acquired a practice(s) or if it has been acquired.  As part of the questionnaire, OCR will ask entities for a list of their business associates.  Selected entities will be notified of their participation.  Failure to respond to OCR inquiries will not exempt an entity from audit or a compliance review.

Tip:  If your organization does not already have a list of its business associates with contact information, make one now.  If one exists, update it.  Business associates (remember that covered entities can be business associates) should also compile a list of their downstream (subcontractor) business associates.

How will the audits work? 

Round 1—Desk Audits of Covered Entities.  These will be desk audits where OCR requests the covered entity to upload documents to a portal for an auditor to review at their desk rather than on-site.  The desk audits are anticipated to be completed by the end of 2016.  These will be focused on four main areas:

1. Risk Analysis and Risk Management. OCR will likely want to see whether you have charted where PHI and ePHI live and travel in your organization (including medical devices), if you have identified threats and vulnerabilities, assigned risk levels, and updated for changes in operations, facilities, and known industry threats (e.g., ransomware, lost/stolen mobile devices – do you have a policy for taking PHI or ePHI offsite?).
2. Notices of Privacy Practices.
3. The Right of Access.  OCR issued guidance and FAQs on the right of access earlier this year in response to numerous complaints that covered entities were not fulfilling their obligations under the right of access and might be requiring too much documentation or charging excessive fees. Check your policies, procedures and practices against the guidance and the FAQs and make adjustments if necessary.
4. The Breach Notification Process. This includes the content and timeliness of notifications.

The audit notification letter will comment on the specific subjects of the audit for the entity receiving the letter.  Read the letter carefully and respond in a manner that clarification of your response is not required, but do not submit extraneous information.  Simply answer the question asked.

Round 2—Desk Audits of Business Associates.  These will be desk audits and are anticipated to be complete by the end of 2016.

Round 3—On-Site Audits.  Some desk auditees may be selected for an on-site audit, but an entity does not have to undergo a desk audit to be selected for an on-site audit.  On-site audits will have a broader focus than the desk audits.

Auditees will receive an email notifying them of selection for the audit.  The email will introduce the audit team and will include requests for documentation.  The responses to document requests will be due within ten business days of the date on the information request and must be submitted via OCR’s secure portal.  Keep in mind that extensions will likely be denied absent extraordinary circumstances.    On-site audits will include an entrance conference and a 3-5 day on-site visit (depending on the entity’s size).

The auditors will send each auditee a draft report.  The auditee has ten business days to review and return with comments, and then the auditor has 30 business days to generate the final audit report.  OCR will share a copy of the final report with the auditee.

Use of the Audits.  OCR has indicated it will use the audits to improve compliance and to develop tools and guidance to assist the industry.  However, if an audit indicates a serious compliance issue, then OCR may initiate a compliance review.