Setting Expectations for the Phase 2 HIPAA Audits
Previously, the Office of Civil Rights (OCR) had announced that during the Phase 2 HIPAA Audits, it would utilize “desk audits” rather than onsite visits. However, recent announcements by the OCR indicate that while most audits in Phase 2 will still be desk audits, the OCR is planning to conduct more on-site, comprehensive audits than previously planned. While the Phase 1 Audits were conducted by outside contractors, the OCR will personally conduct the Phase 2 Audits.
What should you expect with a desk audit? Desk audits are administered by sending a list of required documents to the audited organization which must then submit the documents for review by OCR personnel. The organization has two weeks to respond to the request. Desk audits involve no personal interaction and, as a result, no opportunity to ask questions of the auditor or provide clarifications. Therefore, a positive audit outcome depends on proper documentation, written in a clear and comprehensive manner.
It is presumed that the OCR will continue the policy from the Phase 1 Audits that allowed revision and/or creation of requested documentation up until the submission date; however, with success contingent upon good documentation, two weeks will not likely provide sufficient time to create and implement required policies. The following table outlines OCR’s expectations for Phase 2 Audits.
Phase 2 HIPAA Audits: OCR Expectations
Only timely submitted documentation will be reviewed by the OCR.
Documentation must be current as of the date of the request.
As originally proposed for the desk audits, auditors will not contact the organization for clarification or additional information.
Submitting extraneous documentation may hinder the auditing processes and will potentially cause adverse audit findings.
OCR will review all documents submitted. Any issues identified in extraneous documentation will be acted upon.
To learn more, check out the educational resources offered by Ice Miller’s Data Security and Privacy practice