On March 21, 2016, OCR finally announced Phase Two of its HIPAA Audit program (short version in the presser). Phase 1,
you may recall, kicked off in 2011 and consisted of 115 audits of
covered entities. OCR has had some hiccups along the way, but is now
just about ready to roll out a broader program. While these publications
are framed as kickoff announcements, the actual kickoff is not quite
here yet. OCR is still developing enhanced protocols for these audits
(which will be posted online “closer to conducting the 2016 audits”). In
Phase 2, OCR will be auditing both covered entities and business
associates, and it will be experimenting with desk audits.
While the results of an audit that identifies compliance issues could
be quite severe, OCR continues to treat its enforcement efforts as
an opportunity to examine mechanisms for compliance,
identify best practices, discover risks and vulnerabilities that may not
have come to light through OCR’s ongoing complaint investigations and
compliance reviews, and enable us to get out in front of problems before
they result in breaches. OCR will broadly identify best practices
gleaned through the audit process and will provide guidance targeted to
identified compliance challenges.
…
The aggregated results of the audits will enable OCR to better
understand compliance efforts with particular aspects of the HIPAA
Rules. Generally, OCR will use the audit reports to determine what types
of technical assistance should be developed and what types of
corrective action would be most helpful. Through the information gleaned
from the audits, OCR will develop tools and guidance to assist the
industry in compliance self-evaluation and in preventing breaches.
See, they just want to help ….
In Phase 1, virtually all audit targets were found to be out of compliance in at least some respects.
OCR is in the process of verifying contact info for covered entities
and business associates, and is putting the regulated community on
notice to check spam filters, because they will be sending audit notices
via email.
As has been said before by OCR representatives, the agency will be
asking covered entities for lists of their business associates, with
contact info, so it would be a good idea for covered entities to pull
together lists of business associates (this is information that should
be easily accessible in any case). OCR will randomly select covered
entities and business associates for audit.
The plan is to conduct two sets of desk audits, one of CEs and one of
BAs, to be completed by December of this year. These will be focused on
specific requirements of the Privacy, Security or Breach Notification
Rules, and the audit subjects will be notified of the scope in the
notification letter. Desk audit subjects will be asked to submit
documents though a secure online portal within ten business days of the
request.
The third set of audits will be performed onsite and will be broader
in scope. Some lucky CEs and BAs will have the pleasure of both desk
audits and field audits.
There’s opportunity to review and comment on audit reports before they are finalized.
If an audit reveals a “serious compliance issue,” OCR may investigate further.
Audit reports will not be listed or posted automatically, but audit
notification letters, completed reports and other materials will be
subject to FOIA rules.
Obviously, the audit program will not reach all members of the
regulated community, and OCR has not announced how many CEs and BAs the
office intends to audit. The OCR complaint investigation apparatus will
not grind to a halt while these audits get underway, so all members of
the regulated community should of course remain actively engaged in
continuing their HIPAA compliance efforts.
For those who have not put a HIPAA
compliance program in place, or who may need to review business
associate agreements and policies and procedures, or conduct or update
risk assessments … act now!
David Harlow
The Harlow Group LLC
Health Care Law and Consulting
Filed Under: Compliance, Health care policy, Health Law, HHS, HIPAA, OCR, Privacy, Security