HIPAA Phase 2 Audit Update

After much wait and anticipation, the Office for Civil Rights (“OCR”) announced on March 21, 2016, the launch of its Phase II HIPAA Audits. Following initial audits in 2011 and 2012, OCR was targeting 2016 to begin Phase II. Now that Phase II is in full swing, this article will summarize what we know about Phase II and what we can expect in the near future.

OCR plans to roll out Phase II audits in three rounds. The first two rounds will be desk audits of covered entities and business associates, respectively, with a focus on specific topics identified by OCR. The third round will consist of comprehensive, on-site audits of both covered entities and business associates. As discussed below, OCR notified covered entities selected for desk audits on July 11, 2016. Desk audits of business associates are anticipated to start in late September 2016. On-site audits of both covered entities and business associates are planned to begin in early 2017. Phase II will consist of 200-250 total audits with over 200 of those audits being desk audits.

In connection with the Phase II audits, OCR released a revised Audit Protocol in April 2016. The Audit Protocol, which is divided among Privacy, Security, and Breach Notification elements, substantially revised the prior version that OCR had developed as part of Phase I audits. Among other things, it incorporates the changes from the Omnibus Rule in 2013. The Audit Protocol is available on OCR’s website and would be a useful resource to download and review whether for purposes of preparing for an OCR audit or for any self-auditing and compliance activities.

Desk audits will focus either on Privacy and Breach Notification elements or on Security elements. According to OCR, the Privacy Rule and Breach Notification Rule elements will address topics such as the Notice of Privacy Practices and its content, the provision of electronic notice, the patient’s right of access, and the timeliness and content of breach notification. The Security Rule elements will explore risk analysis and risk management. OCR published on its website more detailed guidance on these selected protocol elements, along with other helpful information about Phase II.

Following the March 21, 2016 announcement, OCR gathered contact information and questionnaires from covered entities to create a potential audit pool. On July 12, 2016, OCR announced that it had initiated desk audits of 167 covered entities with e-mailed notice to those entities on July 11, 2016. The notice advised the entities that they had been selected for the desk audit and provided instructions for the audit process including requesting specific documentation responsive to particular audit issues. A second e-mail to the selected entities requested a list of all of the covered entity’s business associates. Auditees will have a strict 10 business day deadline to respond to these e-mails only with relevant, responsive documentation or submit an explanation for the deficiency. OCR will then generate draft findings and share it with the entity. It will have the opportunity to respond to the draft findings, which will be incorporated into a final audit report. OCR has stated it will not publically disclose the identity of selected entities or the audit reports, but cautioned that some of this information may be subject to FOIA requests.

Desk audits for business associates this fall will proceed in the same fashion as desk audits of covered entities, although the topics selected by OCR will not involve those elements of the Privacy, Security and Breach Notification Rules not applicable to business associates.

OCR states that Phase II audits are primarily a compliance activity. It will use the audit results to better understand compliance efforts, determine what technical assistance should be developed and what corrective action would be helpful. OCR will also develop additional tools and guidance for entities’ compliance activities and preventing breaches. However, it has reminded the industry of its broad authority to open compliance reviews if an audit revealed significant threats to the privacy and security of PHI.

By the time this article is published, OCR likely will have neared the end of its desk audits of covered entities. However, even if an entity avoided a desk audit, it does not mean it is out of the woods. There is still the possibility of selection for an on-site audit. In addition, it is anticipated that OCR will eventually implement a permanent audit program. The increased number of settlements within the last year by OCR, among other things, demonstrates OCR’s increasingly aggressive stance towards enforcement. Given the current climate, there is no better time than now for every covered entity and business associate to carefully review its HIPAA compliance.