Phase 2 of HIPAA Compliance Audits Now Underway

23 March 2016 Health Care Law Today Blog

The Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (DHHS) recently announced that it has initiated Phase 2 of its audit program to assess Covered Entities’ and Business Associate’s compliance with the Health Insurance Portability and Accountability Act (HIPAA) privacy, security, and breach notification rules (the HIPAA Audit Program).

OCR has been under scrutiny in recent years for its lack of oversight and enforcement activity. In September 2015, the Office of Inspector General (“OIG”) of DHHS released a report which concluded that the OCR needed to increase its oversight of Covered Entities’ and Business Associate’s compliance with the HIPAA Privacy Rule. OCR responded by stepping up its enforcement activities, including the initiation of Phase 2 of its HIPAA Audit Program.

In 2011 and 2012, OCR implemented Phase 1 of the HIPAA Audit Program, by assessing the controls and processes implemented by a small sample of Covered Entities. Phase 2 of the HIPAA Audit Program will extend to Business Associates.

Covered Entities and Business Associates who are selected for the audit will receive an email from OCR requesting that contact information be provided to OCR. OCR will then transmit a pre-audit questionnaire to gather information about the Covered Entity or Business Associate, which will be used to create potential audit subject pools. OCR has indicated that a Covered Entity or Business Associate may be selected for an audit or subject to a compliance review, even if it does not verify its contact information or submit a pre-audit questionnaire.

OCR will notify the Covered Entities and Business Associates that have been selected for an audit. OCR will be performing two types of audits – a “desk audit” and an “onsite audit.” If an entity is subject to a “desk audit”, OCR will submit a document request to the Covered Entity or Business Associate, and the entity will have ten business days to submit documentation responsive to OCR’s request. If an entity is subject to an “onsite audit”, OCR will conduct a three to five day onsite audit of the entity. OCR has not yet posted its updated audit protocol that reflects the HIPAA Omnibus rulemaking on is website, but states that it will do so prior to conducting the 2016 audits. OCR will draft a report of its findings from either the desk audit or the onsite audit, and Covered Entities and Business Associates will have the opportunity to review and comment on the draft report. The auditor will complete a final audit report for each entity within thirty business days of the initiation of the audit. In the event that an audit report indicates a serious compliance issue, OCR may initiate a compliance review to further investigate the Covered Entity or Business Associate. Covered Entities and Business Associates may be fined for non-compliance.

What You Should Do Now

Covered Entities and Business Associates should prepare now to respond to OCR audit requests and proactively address any outstanding HIPAA compliance issues within their organization. Some key areas of compliance include:

  • Conducting regular security risk assessments and documenting corrective actions to address identified risks,
  • Ensuring that the organization has adequate, documented HIPAA compliance policies and procedures (including protections for laptops and mobile devices and other key areas for risk of breaches), and
  • Providing HIPAA training to employees.

OCR recently released a crosswalk, developed with the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health IT (ONC) that maps the NIST Framework for Improving Critical Infrastructure Cybersecurity and the HIPAA Security Rule. Covered Entities and Business Associates should assess their security policies and procedures in the context of this recently released framework and the HIPAA Audit Protocol when considering the adequacy of their security posture.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services