Phase 2 of the OCR HIPAA Audit Program Already Underway

On March 21, 2016, the Department of Health and Human Services, Office for Civil Rights (OCR) announced the launch of the long-awaited Phase 2 HIPAA Audit Program (Phase 2), and OCR activities related to Phase 2 are already underway. Phase 2 will consist primarily of desk audits, but will include some onsite audits, and both Covered Entities and Business Associates will be selected for audit. Shortly after its announcement, OCR released an updated protocol for Phase 2, which replaces the original protocol used in the pilot audit program and provides some insight into what the auditors will be focusing on in Phase 2. The following is a brief description of the Phase 2 audit process and what Covered Entities and Business Associates should expect.

1. Verification of Contact Information. Communications from OCR were sent via email to select entities to obtain and verify contact information. OCR has warned that these emails may be incorrectly classified as spam and expects entities to check their junk or spam folders for communications from OCR. An entity’s receipt of the contact information verification communication from OCR does not mean that the entity has been selected for an audit. These communications are merely part of OCR’s information gathering efforts to create the eligible pool from which to select entities for audit. Click here to view a sample email letter. 

2. Audit Pre-Screening Questionnaire. Entities that receive the contact information verification communication from OCR, may also then receive an Audit Pre-Screening Questionnaire with questions tailored to whether the entity is a Covered Entity Health Care Provider, Health Plan or Healthcare Clearinghouse or whether the entity is a Business Associate. To reiterate, receipt of the Audit Pre-Screening Questionnaire does not mean that the entity has affirmatively been selected by OCR for an audit. Rather, the questionnaire will be used by OCR to help ensure that the audit pool (and eventually the entities selected for audit) represents the diverse spectrum of types of Covered Entities and Business Associates (for instance, by type of provider, type of service rendered, and size of entity). The full questionnaire can be accessed at the link provided above. However, note that OCR is asking Covered Entities to identify their Business Associate relationships, which OCR will then use to create the pool of potential Business Associate auditees. Covered Entities are encouraged to develop a list of their Business Associates in a form or format similar to the sample template provided by OCR. A sampling of the questions on the Audit Pre-Screening Questionnaire is provided below:

  • Entity Type (public or private?)
  • Entity locations (single location or multi-location?)
  • Organizational structure (affiliated, owned or controlled by another organization?)
  • What is the approximate total revenue for the most recent fiscal year?
  • If a Health Care Provider:

    • Are you a Covered Entity?
    • Do you maintain or transmit Protected Health Information in electronic format?
    • How many patient visits in the prior fiscal year?
    • How many patient beds?
    • Number of clinicians on staff or with privileges?
  • If a Health Plan:

    • What is the total number of members within your health plan?
    • What is the total number of members within your health plan? 
  • If a Healthcare Clearinghouse:

    • Total number of transactions processed monthly?
    • Current number of healthcare providers, health plans, and other entities served?
  • If a Business Associate:

    • What types of Covered Entities do you provide services for?
    • Do you perform business associate functions in more than one state?

Following its receipt of the completed Audit Pre-Screening Questionnaires, OCR will then select the entities that will be audited. Notably, OCR has advised that failing to respond to a verification of contact information request or failing to complete the Audit Pre-Screening Questionnaire will not remove the entity from the potential audit pool. Auditers will be randomly selected from the audit pool; however, OCR has publicly posted that entities with an open complaint investigation or that are currently undergoing a compliance review, will not be selected for a Phase 2 audit.

3. Desk Audits. After OCR selects the auditees, OCR will first perform desk audits of Covered Entities and then will replicate the desk audit process for Business Associates.

  • Topics: Desk audits will be limited in scope and will focus on the following topics: risk analysis, risk management, notice of privacy practices, an individual’s right to access his/her Protected Health Information, and breach notification letters (looking at both content and timeliness).
  • Information Request: Audited entities will have 10 days from the date of the information request to respond to OCR, and entities must submit their response and relevant documentation online using a new secure audit portal on OCR’s website. OCR states that all documents must be in digital form and submitted electronically via this portal.
  • Findings: After OCR receives the documents from the audited entity, an auditor will review the information and provide draft findings. Auditees will have 10 business days to review and return written comments, if any, to the auditor. The auditor will complete a final audit report for each entity within 30 business days after the auditee’s response. OCR will share a copy of the final report with the audited entity.
  • Timeline: Desk audits are scheduled to be complete by the end of December 2016.

4. Onsite Audits. After the conclusion of desk audits, OCR will complete onsite audits of selected Covered Entities and Business Associates, some of which may be entities that went through the desk audit process. Similar to desk audits, entities will be notified via email of their selection for an onsite audit.

  • Topics: Onsite audits will be more comprehensive than desk audits and cover a wider range of requirements under HIPAA.
  • Timeframe: Each onsite audit will be conducted over 3 to 5 days onsite, depending on the size of the entity.
  • Findings: Entities will have 10 business days to review the draft findings and provide written comments to the auditor. The auditor will complete a final audit report for each entity within 30 business days after the auditee’s response. OCR will share a copy of the final report with the audited entity.

5. Post-Audit Findings. OCR has indicated that its primary purpose in conducting the Phase 2 audits is to better understand Covered Entity and Business Associate compliance efforts related to certain aspects of the HIPAA regulations and not to bring enforcement actions. However, OCR has reserved the right to initiate a compliance review against an audited entity if the audit uncovers a serious compliance issue. OCR intends to use its audit findings to identify the types of technical assistance OCR should develop and the types of corrective action that would be most helpful. Through the information gleaned from the audits, OCR will also develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches. OCR will not publicly post the identity of the audited entities and the individual findings; however, some information, such as the audit notification letters, may be requested and made available to individuals under the Freedom of Information Act (FOIA).