Phase 2

OCR Phase 2 Audits Have Begun

As of March 22, 2016, the Office for Civil Rights (OCR) has officially begun their Phase 2 HIPAA Privacy, Security, and Breach Notification Audit Program. This announcement comes after months of speculation and preparation for the eventual roll-out of this new program. Luckily, with Compliancy Group you won’t have to go it alone. Just like Paul Revere on his midnight ride, we’re here to warn you of the dangers ahead, and keep you as informed as we can about the forthcoming updates coming out of OCR.

When the Phase Two audits were first announced in October of 2015, speculation about the exact nature of the program began to run rampant. However, with this new guidance from OCR, the criteria and the content of the audits have become clear. These Phase 2 audits are only a precursor to the permanent audit program that OCR is planning to release within the coming years. Understanding what’s required of you now is a proactive step that you can take to keep your organization out of the headlines in the future, and maintain the integrity of your reputation.

What Are They Looking For?

In OCR’s announcement on the HHS Health Information Privacy website, they said that “The 2016 Phase 2 HIPAA Audit Program will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”

The HITECH Act, which was passed in 2009, made provisions for OCR to routinely audit CEs and BAs for compliance with the Privacy, Security, and Breach Notification Rules. Each of these rules have been enforced with increasing frequency over the past year, and now it seems that OCR Director, Jocelyn Samuels is taking that enforcement one step further.

The Phase 1 audits were carried out in 2011 and 2012, however they only targeted CEs. The results of Phase 1 showed a shocking pattern of non-compliance, with only 11% of audits reporting no findings–meaning that only 11% of the Covered Entities that were audited showed no deficiencies in their compliance.

Understanding what’s required of your organization under the Privacy, Security, and Breach Notification Rules should be a priority among potential auditees. However, users of The Guardâ„¢ can rest easy knowing that all of the necessary policies and procedures outlined by these HIPAA Rules are built into our solution. If you’ve done your due diligence and made progress with your compliance implementation, you should be well on your way to understanding what’s required of you.

Who’s Going to be Audited This Time?

OCR has included explicit provisions in their Phase 2 audits to include both CEs and BAs in their program this time around, saying that “every covered entity and business associate is eligible for an audit.”

OCR is looking to identify CEs and BAs that vary in size, operation, and location. OCR will look at a wide range of potential auditees to attain a broad analysis of HIPAA compliance across the healthcare industry. However, if an organization has an ongoing complaint that is being investigated by OCR, they will not be eligible for a Phase 2 audit.

Two hundred CEs and BAs in total are set to be audited during this initial round of desk-only audits. If a CE or BA is chosen to be a part of the group of potential auditees, they can expect the process to follow a fairly simple route, outlined below:

Round 1 – Email Contact and Questionnaire

  • Covered Entities will receive an email from OCR to verify their contact information
  • Covered Entities will fill out a questionnaire from OCR to assess their size, scope, and operations
  • Covered Entities will be asked to compile a list of all of their Business Associates with contact information
  • Failure to respond will not exclude a Covered Entity from potentially being audited, OCR will simply use publicly available information

Round 2 – Business Associates

  • Business Associates will be contacted in the same manner as Covered Entities
  • Business Associates will likely be asked to provide a list of subcontracted BAs who also deal with Covered Entities
  • Failure to respond will not exclude a Business Associate from potentially being audited, OCR will simply use publicly available information

Round 3 – Notification, Selection, and Desk Audits

  • If a CE or BA is chosen for a desk audit, OCR will notify the organization via letter explaining the audit process and expectations
  • OCR will likely request certain documents from CEs and BAs
  • CEs and BAs will need to respond to the letter and provide any requested documents within 10 days
  • OCR will review requested documents and submit a draft report to CEs and BAs
  • CEs and BAs will need to review and respond to OCR’s report within 10 days
  • Final audit reports will be completed and delivered by OCR within 30 days of receiving responses

Round 4 – Onsite Audit

  • CEs and BAs may also be selected for onsite audits via notification from OCR
  • OCR will conduct an entrance conference, explaining the audit process and expectations
  • Onsite audits will be conducted over the course of three to five days
  • OCR will provide a report to audited CEs or BAs within 10 days
  • CEs and BAs will need to review and respond to OCR’s report within 10 days
  • Final audit reports will be completed and delivered by OCR within 30 days of receiving responses

Round 5 – Post-Audit Follow-Up

  • OCR will use audit reports to assess the types of assistance and corrective action they should provide going forward
  • However, if an audit reveals a serious breach in compliance, OCR will likely decide to investigate the CE or BA further through a full compliance review