HIPAA Privacy, Security, and Breach Notification Audit Program: Audit Phase 2
HHS’s Office for Civil Rights (OCR) has launched the second phase of its audit program to review compliance with HIPAA’s privacy, security, and breach notification rules. OCR has already started sending emails to covered entities and business associates requesting contact information (a sample email letter is included in the guidance). Next, OCR will send pre-audit questionnaires to help identify pools of covered entities and business associates representing a broad spectrum of audit candidates. Selection criteria for audits will include size and type of entity, relationship to individuals, affiliation with other health care organizations, whether the entity is private or public, and geographic factors. OCR will not audit entities with an open complaint investigation or compliance review. Initially, OCR will focus on desk audits—first of covered entities, then of business associates. Later, on-site audits will examine a broader scope of HIPAA requirements; and some entities subject to desk audits may be the subject of a subsequent on-site audit.
Entities selected for a desk audit will be sent email notification of their selection. Then, they will receive an information request asking them to submit documents online through a new secure audit portal on OCR’s website within ten days after the request. After reviewing the information, the auditor will provide draft findings, allowing ten business days for written comments to be submitted. A final audit report will be completed within 30 days and then sent to the audited entity. On-site audits will include an entrance conference, followed by three to five days of on-site work. As with desk audits, entities subject to an on-site audit will be given an opportunity to comment on the draft audit report, and a final report will be shared with them. If an audit report indicates a serious compliance issue, OCR may investigate further. Although OCR will not identify audited entities publicly or publicize audit findings in a way that identifies the entities, it notes that Freedom of Information Act requests may require it to release information about entities in response to a public request. OCR will use aggregate audit results to develop technical assistance, corrective actions, and industry self-evaluation tools to help prevent breaches.
EBIA Comment: OCR promises that an updated audit protocol—reflecting the HIPAA omnibus rule (see our Checkpoint article)—will be posted on its website closer to commencement of the actual audits. Given the short time for responding to OCR information requests, it will behoove covered entities and business associates to check their compliance status before they are contacted by OCR—there won’t be time to create documents after an information request is received—and the updated protocol may provide a useful tool for self-evaluation. Also, since communications from OCR will come via email and may be incorrectly classified as spam, entities should make a practice of checking their junk or spam email folders for any emails from OCR. OCR cautions that entities failing to respond to OCR’s information requests may still be selected for an audit or subject to a compliance review. For more information, watch for updates to EBIA’s HIPAA Portability, Privacy & Security manual at Section XX.C (“HIPAA Compliance Audits by HHS”).
Contributing Editors: EBIA Staff.