The HHS Office of Civil Rights (OCR) announced that the long-expected Phase 2 HIPAA audits are underway. OCR will use these audits to assess whether HIPAA covered entities and their business associates are complying with the law. The Phase 2 audits will focus on HIPAA compliance policies and procedures of both covered entities and their business associates related to specific requirements of the HIPAA Privacy Rule, Security Rule and Breach Notification Rule. The exact requirements that will be the focus of the Phase 2 audits are unknown.
Most of the audits will be "desk audits" but there will also be some on-site audits conducted. The first indication that a covered entity or its business associate is being audited will be an e-mail from OCR asking to confirm the organization's contact verification. This is very innocuous, so it is important that you not miss this early warning. OCR recommends that all covered entities and business associates check their e-mail spam filters to make certain that e-mails from OCR do not get caught up there. This level of detail indicates just how serious OCR is about the Phase 2 audit program. We recommend that all covered entities and their business associates adopt measures to detect this contact by OCR.
You are not legally required to respond to this OCR e-mail. However, even if you do not respond the organization might still be selected for an audit.
OCR is moving towards a permanent audit program and will use its findings from the Phase 2 audit program to design the permanent audit program. Every covered entity and business associate should be aware that these audits have commenced and be ready to respond to OCR requests for HIPAA policies and procedures.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
