OCR Launches Phase 2 of HIPAA Audit Program
The HHS Office for Civil Rights (“OCR”) has announced that it will begin the 2016 Phase 2 HIPAA Audit Program, the next phase of audits of covered entities and their business associates. In Phase 2, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to satisfy standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. Phase 2 audits will primarily be desk audits, however, some on site audits will occur. OCR will evaluate the results and procedures used in the Phase 2 audits to develop a permanent audit program.
The Phase 2 audit process begins with OCR sending an email to covered entities and business associates requesting verification of an entity’s address and contact information. OCR will then send pre-audit questionnaires to obtain information about the size, type, and operations of covered entities and business associates. This information will be used in conjunction with other information to create potential audit subject pools.
If a covered entity or business associate does not respond to OCR’s email request to verify contact information or the pre-audit questionnaire, OCR will use publically available information to verify contact information or respond to the questionnaire. Thus, covered entities and business associates should be aware that ignoring OCR’s emails will not keep them from being part of potential audit subject pools.
OCR will post updated audit protocols on its website closer to when it will begin to conduct the 2016 audits. The audit protocol will be updated to reflect HIPAA Omnibus Rulemaking.
The Health Law Partners has represented a numerous covered entities and business associates under OCR scrutiny. If you need guidance responding to OCR’s pre-audit questionnaire, are currently under OCR scrutiny, or would like to know how to maintain compliance with the HIPAA Privacy, Security, and Breach Notification Rules, please contact Adrienne Dresevic, Esq., at firstname.lastname@example.org, or Clinton Mikel, Esq., at email@example.com, or at 248-996-8510.