The Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (DHHS) recently announced that it has initiated Phase 2 of its audit program to assess Covered Entities' and Business Associate's compliance with the Health Insurance Portability and Accountability Act (HIPAA) privacy, security, and breach notification rules (the HIPAA Audit Program).

OCR has been under scrutiny in recent years for its lack of oversight and enforcement activity. In September 2015, the Office of Inspector General ("OIG") of DHHS released a report which concluded that the OCR needed to increase its oversight of Covered Entities' and Business Associate's compliance with the HIPAA Privacy Rule. OCR responded by stepping up its enforcement activities, including the initiation of Phase 2 of its HIPAA Audit Program.

In 2011 and 2012, OCR implemented Phase 1 of the HIPAA Audit Program, by assessing the controls and processes implemented by a small sample of Covered Entities. Phase 2 of the HIPAA Audit Program will extend to Business Associates.

Covered Entities and Business Associates who are selected for the audit will receive an email from OCR requesting that contact information be provided to OCR. OCR will then transmit a pre-audit questionnaire to gather information about the Covered Entity or Business Associate, which will be used to create potential audit subject pools. OCR has indicated that a Covered Entity or Business Associate may be selected for an audit or subject to a compliance review, even if it does not verify its contact information or submit a pre-audit questionnaire.

OCR will notify the Covered Entities and Business Associates that have been selected for an audit. OCR will be performing two types of audits – a "desk audit" and an "onsite audit." If an entity is subject to a "desk audit", OCR will submit a document request to the Covered Entity or Business Associate, and the entity will have ten business days to submit documentation responsive to OCR's request. If an entity is subject to an "onsite audit", OCR will conduct a three to five day onsite audit of the entity. OCR has not yet posted its updated audit protocol that reflects the HIPAA Omnibus rulemaking on is website, but states that it will do so prior to conducting the 2016 audits. OCR will draft a report of its findings from either the desk audit or the onsite audit, and Covered Entities and Business Associates will have the opportunity to review and comment on the draft report. The auditor will complete a final audit report for each entity within thirty business days of the initiation of the audit. In the event that an audit report indicates a serious compliance issue, OCR may initiate a compliance review to further investigate the Covered Entity or Business Associate. Covered Entities and Business Associates may be fined for non-compliance.

What You Should Do Now

Covered Entities and Business Associates should prepare now to respond to OCR audit requests and proactively address any outstanding HIPAA compliance issues within their organization. Some key areas of compliance include:

  • Conducting regular security risk assessments and documenting corrective actions to address identified risks,
  • Ensuring that the organization has adequate, documented HIPAA compliance policies and procedures (including protections for laptops and mobile devices and other key areas for risk of breaches), and
  • Providing HIPAA training to employees.

OCR recently released a crosswalk, developed with the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health IT (ONC) that maps the NIST Framework for Improving Critical Infrastructure Cybersecurity and the HIPAA Security Rule. Covered Entities and Business Associates should assess their security policies and procedures in the context of this recently released framework and the HIPAA Audit Protocol when considering the adequacy of their security posture.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.