Ready the Troops: HIPAA Audits Are Coming

With the New Year often come new resolutions. One resolution covered entities and business associates hopefully have made for 2016 is to be prepared for the possibility of facing a Phase 2 HIPAA audit from the Department of Health and Human Services’ Office of Civil Rights (“OCR”).

As part of the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), OCR is required to conduct periodic audits of covered entities and business associates to assess their compliance with HIPAA Privacy, Security and Breach Notification Rules. OCR initiated Phase 1 of the HIPAA Audit Pilot Program in 2011 and 2012, and the health care community has been waiting for the next round of audits since the completion of Phase 1. Although plans to launch Phase 2 in 2014 did not materialize, Jocelyn Samuels, the Director of OCR, confirmed in Fall 2015 that OCR would commence Phase 2 audits in early 2016.

OCR’s announcement comes on the heels of two reports issued by the Office of Inspector General (“OIG”) in September 2015 that were critical of OCR for its inadequate oversight of covered entities’ compliance with the Privacy Rule and its follow up of breaches reported by covered entities.

In preparing its reports, the OIG reviewed a statistical sample of privacy cases investigated by the OCR from September 2009 through March 2011 and interviewed OCR staff and officials. The reports contain a number of significant findings. For example, regarding OCR’s oversight of covered entities’ compliance with HIPAA privacy standards, the OIG found that in half of the cases reviewed, covered entities were noncompliant with at least one privacy standard. In addition, the OIG found that 29% of OCR staff rarely or never checked whether a covered entity was previously investigated and that OCR’s case-tracking system was limited in functionality. Regarding the OCR’s oversight of reported HIPAA breaches, the OIG similarly found that in almost all large-breach cases reviewed covered entities were noncompliant with at least one HIPAA standard, and that OCR entirely failed to track small-breach cases in its case-tracking system.

A significant theme highlighted by the OIG in these reports was that OCR’s investigation of noncompliance was generally reactive, such as investigating complaints that it received, and not proactive. To that end, it noted that OCR had not “fully implemented the required audit program to proactively assess possible noncompliance from covered entities.” Among several other recommendations, OIG recommended that OCR fully implement a permanent audit program. OCR concurred with this recommendation, and advised OIG that as part of implementing a permanent audit program, Phase 2 would be launched in early 2016.

Although OCR has yet to confirm a number of specifics about Phase 2 HIPAA audits it has noted several important features about Phase 2. It will consist of a combination of desk audits and on-site reviews. It will focus on specific but common areas of noncompliance. And, significantly, Phase 2 will be widened to include business associates. Also, Phase 2 HIPAA audits will consider an entity’s history of HIPAA compliance and prior undertakings to become HIPAA compliant.

Covered entities and business associates should take note that an additional 4 million dollars has been appropriated to OCR’s FY 2016 budget, as compared to OCR’s FY 2015 budget.1 This budget increase could support the OIG’s increased, proactive audit activities as recommended by the OIG.

With OCR under increased scrutiny by the OIG and having increased resources to implement the OIG’s recommendations, covered entities and business associates should not be surprised to find OCR taking a more proactive approach to enforce HIPAA policies in Phase 2.

To the extent that covered entities and business associates have not already taken steps to be HIPAA compliant, or have not recently reviewed or updated their policies and procedures, the launch of Phase 2 would be an ideal time to do so. To avoid the headaches and possible liability exposure that could result from being unprepared to respond to an OCR audit or findings of noncompliance, entities can take a number of proactive steps, such as carefully reviewing OCR’s Audit Program Protocol, which OCR stated it is in the process of updating, considering the need to conduct an updated security risk assessment, examining its policies and procedures, and evaluating the need for workforce training. As recommended by OCR in past privacy and security forums, the best defense to a HIPAA audit is conducting periodic and comprehensive risk analyses. Phase 2 audits should be taken seriously by covered entities and business associates, and they should not forego this important opportunity to evaluate their compliance activities.