OCR Begins HIPAA Audits Phase 2: Are You Ready?

As promised, the Office of Civil Rights (OCR) recently announced it will begin Phase 2 of its HIPAA privacy, security and breach notification audits later this year. The majority of the audits will be desk audits; however, OCR will also conduct some more extensive onsite audits. Covered entities as well as business associates are subject to Phase 2 audits.

Selected covered entities and business associates will receive an e-mail from OCR to confirm their contact information. Entities will have 14 days to respond to the initial e-mail to update their contact information. Failure to respond will keep the entity in the audit pool; however, OCR will use public records to determine the proper contact person. OCR expects that entities will be checking their junk and spam folders for this initial contact.

Once a covered entity or business associate has been selected for a desk audit, the OCR auditor will send a request for documentation that must be uploaded to the OCR secure portal within 10 days. The request will generally be for either privacy, security or data breach notification policies and procedures, notices of privacy practices, or security risk assessments. After a review of the submitted documentation, the OCR auditor will issue an initial report to the entity. The entity will have 10 days to review and return the report with comments. OCR will issue a final report within 30 days of receipt of comments. The timeline and steps are the same for both covered entities as well as business associates.

Are You Ready for a HIPAA Audit?

This very short turnaround timeframe to submit requested documentation for review will not allow for any last minute updates of HIPAA policies and procedures or risk analyses. It is vital that all covered entities and business associates review and update as necessary their HIPAA programs now. When the Phase 1 audits were completed, at least one issue was uncovered in every single audit. The OCR takes HIPAA audits very seriously and is thorough in its review.

Some items and issues the OCR has been looking at lately as part of its complaint investigations include:

• Policies and procedures: OCR will be looking for these to be up-to-date, adherent to HIPAA regulations, and followed by all members of the workforce.
• Education of the entire workforce: As well as education for new workforce members, OCR is looking for evidence of ongoing HIPAA education and awareness programs. As a best practice, OCR recommends annual training of the entire workforce.
• Business associate contracts: OCR will be asking for a list of current business associates from all audited covered entities and verifying that current executed business associate agreements are in place.
• Security risk assessment: Covered entities as well as business associates are expected to complete security risk assessments periodically. Although OCR does not specify an exact time frame, annually is a good rule of thumb for updating the security risk assessment.

The OCR will be posting more information on audit protocols in the months to come. In addition, many documents, frequently asked questions and sample forms are available on the OCR website at, http://www.hhs.gov/ocr/index.html.

An important thing to keep in mind is that HIPAA programs, both privacy and security, should be specific to your organization. Therefore, the use of boilerplate policies and procedures or risk analyses, without modification to your specific circumstances, should be avoided. Marcum advisors can help review your HIPAA implementation with your Privacy and Security Officers and provide education to your workforce. Contact our Healthcare team at (847) 282-6300 for more information.