OCR's HIPAA Phase 2 Audits Are Here: Check Your Spam and Junk Folders
On March 21, the HHS Office for Civil Rights (OCR) announced
its launch of the long-anticipated Phase 2 of the HIPAA Audit Program. OCR is currently verifying, via email, contact information for potential
covered entity (CE) and business associate (BA) auditees. All covered entities – including health care providers of all types and sizes, self-funded employer group health plans, and health care clearinghouses – as well as the full range of business associates, are eligible for audit. Receiving this initial communication does not mean OCR has selected your organization for audit. However, potential auditees must be on diligent lookout for the email, which includes checking appropriate spam and junk email folders on a daily basis, due to tight response deadlines. OCR will notify selected auditees within the coming months. Desk audits will conclude by the end of December 2016, and select, more rigorous and comprehensive site audits will then begin.
The Health Information Technology for Economic and Clinical Health (HITECH) Act requires HHS to conduct periodic audits of CEs’ and BAs’ compliance with the Privacy, Security, and Breach Notification Rules. In 2011 and 2012, OCR conducted a pilot (Phase 1) audit of 115 covered entities, including a broad range of health care providers, health plans, and health care clearinghouses (OCR did not audit BAs). The pilot audit involved three steps: (1) developing audit protocols; (2) conducting an initial wave of 20 audits to test the protocols; and (3) conducting the full range of audits. Every pilot audit included a site visit and resulted in an audit report. HHS used the pilot audits primarily as a compliance improvement activity and to determine the most effective types of technical assistance and corrective action.
Phase 2 of the HIPAA Audit Program draws on OCR's evaluation of the pilot audits. Every covered entity and business associate – whatever its size and function – is eligible for audit. Sampling criteria for selection will include:
Size of the entity;
Affiliation with other healthcare organizations;
Type of entity and its relationship to individuals;
Whether an organization is public or private;
Geographic factors; and
Present enforcement activity with OCR.
OCR makes clear that it is "committed to transparency about the process," and will publish audit protocols "closer to conducting" the audits.
In Process: Selecting Auditees
OCR has begun obtaining and verifying CE and BA contact information to determine potential auditee pools. OCR's initial communication will arrive by automated email and may be incorrectly identified as spam
. CEs and BAs should check their junk and spam email folders daily for a communication from OCR. Note that savvy hackers may view this as an opportunity to conduct phishing campaigns. CEs and BAs who receive an email purportedly from OCR should verify that any attachments or links within the email are not malicious.
Recipients will have only 14 days
to respond as instructed in the communication and confirm identity and email contact information. Failure to respond will not shield a CE or BA from selection.
Once OCR obtains and verifies contact information, it will send pre-audit screening questionnaires to potential auditees to gather data relevant to screening criteria. OCR advises covered entities to prepare a list of their BAs so the CEs are prepared to respond if they are included in a potential auditee pool. OCR will conduct a random sample of potential auditee pools, and notify CEs and BAs that they have been selected for audit.
Upcoming: Notifying Auditees and Conducting Audits
In the "coming months," OCR will notify selected CEs and BAs, by email, of their upcoming audit. Phase 2 will include both desk and site audits. While audit protocols are designed to work with a broad range of CEs and BAs, their application may vary with the auditee's size and complexity. Audits will be limited to compliance with the HIPAA Rules, and will not address State-specific privacy and security laws. The first audits will be desk audits of CEs, followed by desk audits of BAs. The OCR’s notification letter will introduce the audit team, provide more detail on the audit process, and describe "initial" document requests. Auditees will have 10 business days from the date of the request
to submit requested documents and data electronically via a secure audit portal.
Auditors will examine the information submitted and provide the auditee with draft findings. Auditees will have 10 business days
to review the draft findings and provide any written responses. Within 30 days of the auditee's response
, OCR will prepare a final audit report and share it with the auditee.
While desk audits of CEs are in process, OCR will replicate the notification process for BAs. All desk audits will conclude by the end of December, 2016.
Next, OCR will schedule site audits that will examine a broader scope of HIPAA Rules requirements. Desk auditees may also be subject to a site audit. OCR will notify CEs and BAs of their selection for site audit, and will schedule an entrance conference
to discuss the process and expectations. Site audits will last 3-5 days, and "will be more comprehensive and cover a wider range of requirements from the HIPAA Rules," according to OCR's announcement.
As with desk audits, auditees will have 10 business days
to review and respond to draft findings, and OCR will issue a final report within 30 days of the auditee's response
After the Audits
OCR will not post a listing of audited entities, or individual audit findings which clearly identify the audited entity. However, FOIA requests may require OCR to release audit notification letters and other audit information.
As with the pilot audits, OCR states that the Phase 2 audits "are primarily a compliance improvement activity." OCR will use aggregated audit results to better understand compliance efforts, and develop appropriate technical assistance, corrective action, and industry tools and guidance. However, OCR makes clear that a "serious compliance issue" may result in an investigation of the CE or BA.
What Can CEs and BAs do Now?
While OCR is sending its initial confirmatory emails, CEs and BAs should prepare for the possibility that they may be selected for an audit pool:
Determine the person or persons at your organization OCR is most likely to identify as the "primary contact," and notify them to diligently monitor for the initial OCR communication. This should include daily checking of spam and junk email files.
Consider an entity-wide communication informing of the potential for OCR communication, and the potential for phishing and malware attacks under guise of such communications. Instruct all workforce members to notify the Privacy Officer and/or Security Officer immediately (and tell them how to do it) if they receive a communication purporting to come from OCR – without clicking on attachments and links – so that attachments and links can be timely explored in a secure environment.
Remember: CEs and BAs will have only 14 days to respond to the initial communication. If the OCR communication does not specify calendar v. business days, assume the shorter time period and respond accordingly. Failure to respond will not exempt your organization from audit.
Covered entities: Identify your business associates, verify current contact information, and gather all business associate agreements.
Identify an audit team who can respond immediately should your organization be identified as a preliminary auditee, and in the long-term should you be selected for audit.
Gather documentation OCR is likely to request, including:
Privacy Rule (PR), Security Rule (SR), and Breach Notification Rule (BNR) policies and procedures.
Documentation of employee training (materials and participation).
Documentation of requests for access to PHI, and the organization's response.
Logs of unauthorized disclosures of PHI.
Results of SR risk analysis, and corrective action taken.
Documentation of the organization security management process.
Documentation of investigations of potential breaches of unsecured PHI, and breach notification.
Documentation of efforts to mitigate harmful effects of privacy breaches and security incidents.
Documentation of disciplinary procedures for workforce members that violate the HIPAA Rules.
Review OCR's Phase 1 audit protocols to understand what upcoming protocols may look like.
Contact counsel immediately should your organization receive an initial identification notice from OCR. Counsel can assist you in organizing documents and data OCR may request, filling any existing gaps (more on this below), and identifying any potential privilege issues – which should be asserted with extreme caution and mindfulness of potential consequences, if at all.
Begin to fill potential compliance gaps now. While for purposes of the audit itself, OCR will likely consider only documentation existing at the time of the notification/request (and while, of course, your organization must be transparent about what existed when), you may have the opportunity to demonstrate best efforts by showing what you did after notification to identify and mitigate potential non-compliance.
For more information, please contact Kimberly Metzger
or a member of our Data Security and Privacy
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.