On Monday, March 21, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) formally announced the launch of the long-awaited and much anticipated Phase Two HIPAA compliance audits. Phase One of these audits was conducted as a pilot program in 2011 and 2012 on 115 covered entities. The Phase Two audits will include both covered entities and business associates. Every covered entity and business associate is eligible for an audit, except that OCR will not audit entities with an open complaint or that are currently undergoing an OCR compliance review. Under the Phase 2 audits, OCR will review the policies and procedures implemented by the audited covered entities and business associates to determine compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

OCR is initiating the Phase Two audit program by sending emails to covered entities requesting verification of the covered entity’s address and contact information. OCR expects the covered entity to check the junk or spam folder for any e-mails from the following OCR e-mail address: OSOCRAudit@hhs.gov. Once the covered entity has responded to OCR in a timely manner, OCR will send a pre-audit questionnaire to gather data about the size, type, and operations of the organization. The pre-audit questionnaire will also ask covered entities to identify their business associates. Business associates will then also receive the pre-audit questionnaire. OCR has also made it clear that if a covered entity or business associate fails to respond to the information requests, OCR will use publically available information about these entities to create the audit pool, meaning they still may be selected for an audit.

OCR will then use the information collected from the pre-audit questionnaires to create the Phase Two audit pool. According to OCR, sampling criteria for selection of the entities to be audited (“auditees”) will include “size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR.” Once a wide-range of covered entities and business associates have been identified, OCR will determine which entities to audit in the “coming months.”

OCR plans to do three rounds of audits. The first round will be desk audits (involving document review only) of covered entities. The second round will be desk audits of business associates. OCR expects an auditee to respond to all requests for documentation during the desk audit phase within 10 business days of the request. OCR states it expects desk audits to be completed by the end of December 2016. The third round of audits will be on-site audits of certain auditees that were subject to a desk audit, and this audit will involve a broader scope of compliance with HIPAA.

During the desk audit phase, an auditee will be required to submit all requests for documentation using a secure online OCR audit portal. Once the audit has been conducted, the OCR auditor will provide the auditee with a copy of the findings and the auditee will have 10 business days to review and provide comments to the auditor.  OCR will then share a copy of the final report with the auditee within 30-days.  These timing requirements will also apply to the on-site audits.

Finally, it is worth noting that these audits are “primarily a compliance improvement activity,” enabling OCR to provide technical assistance to ensure covered entities and business associates comply with HIPAA. However, if an audit report indicates a “serious compliance issue,” OCR may initiate a compliance review to further investigate.  OCR has stated that it will not post a list of auditees or the findings of an individual audit that identifies an auditee.

For more information about the Phase Two audits, visit OCR’s website here.