Phase 2 HIPAA Audits Underway

The HHS Office for Civil Rights (OCR) has begun its effort to audit covered entities and business associates for compliance with HIPAA. We have previously reported on OCR’s preparations for these proactive audits.

OCR implemented Phase 1 of the program in 2011 as a pilot program, under which OCR evaluated the efforts of 115 covered entities to comply with HIPAA.  OCR described the pilot program as a “compliance improvement activity,” explaining that “OCR used the audit reports to determine what types of technical assistance should be developed and what types of corrective action are most effective.”

In March, OCR announced the launch of Phase 2 of the HIPAA Audit program, under which it will expand to more covered entities and, for the first time, include proactive audits of business associates.  OCR explained that it will send covered entities and business associates, via email, a “pre-audit questionnaire” to gather data about the size, type, and operations of potential auditees to create audit subject pools.

Any covered entity or business associate may receive a pre-audit questionnaire. OCR has said that it will seek a “broad spectrum of audit candidates,” based on size, types, and operations.  Covered entities will be asked to identify their business associates.  Then, OCR will choose auditees based on a random sampling of the audit pool.  Covered entities and business associates that fail to respond to the questionnaire may still be part of the audit pool; OCR notes it will fill out the questionnaire based on publicly available data about the entity.

As Phase 2 moves forward, OCR states that these audits will, at first, consist of desk audits that review the HIPAA policies and procedures of the selected covered entities and business associates.  OCR plans to focus first on covered entities and then on business associates.  OCR then plans to conduct a third set of audits that will examine a “broader scope of requirements,” and some desk audits may turn into on-site audits.

As the OCR audits proceed, covered entities and business associates should take this opportunity to ensure that that HIPAA compliance programs are sound and that policies and procedures are up to date.