Now that OCR has officially started the Phase 2 HIPAA Audit Program, are you adequately prepared to be an auditee? OCR is currently compiling its pools of potential auditees that will be selected at random for auditing purposes. Many healthcare providers have already received this OCR notice requesting verification of contact information which must be responded to within 14 days. While this notice does not necessarily indicate that the provider will be audited, the provider will be entered into the pool of potential auditees. In conducting its data gathering efforts, OCR will also request completion of an Audit Pre-Screening Questionnaire to gather information on the size, type, and operations of potential auditees, which can be viewed on the HHS website.

1st Round- Desk Audits

The first round of audits will be in the form of desk audits, which is scheduled to be completed by December 2016. These desk audits will be completed in two sets, with the first set focused on covered entities and the second set focused on business associates. Selected auditees will receive email notification from OCR along with an initial request for documentation and data. Auditees will only have 10 business days to respond to the request by submitting the requested information via OCR’s new secure online portal. Providers will be required to identify and provide detailed information on each of its business associates. And depending on the findings of the desk audit, auditees may be subject to a subsequent onsite audit. Upon completion of the desk audit, OCR will prepare and share its draft findings. Auditees are granted 10 business days to respond to the draft findings with any written comments, and OCR will then issue a final audit report within 30 days.

2nd Round- Onsite Audits

The second round of audits will be conducted in the form of onsite visits, which will encompass a more comprehensive examination compared to that of the desk audit. Selected auditees will receive email notification from OCR. The on-site audit starts with an entrance conference that will review the audit process, followed by the actual audit that can last from three to five days.

Auditees selected for the onsite audit will have the same amount of time to review the OCR’s draft findings as mentioned above before a final audit report is issued. OCR may ensue a compliance review if it uncovers serious compliance issues during this audit.  

OCR’s Revised Audit Protocol

Last month, OCR revised its Audit Protocol to incorporate requirements from the HIPAA Omnibus Final Rule of 2013. This protocol will be used by its auditors in conducting the Phase 2 audits and serves as guidance on areas a potential audit may focus on and can be used as a risk assessment tool to evaluate a provider’s current compliance program.

Prepare As If You Are Going to Be Audited!

Preparation is key to successfully surviving the audit and continuing with the main goal of providing high quality patient care. Providers should be adequately prepared to participate in Phase 2 by (i) reviewing updating and enforcing internal policies and procedures relevant to HIPAA Privacy, Security, and Breach Notification Rules; (ii) having documentation of compliance efforts readily available; (iii) reviewing OCR’s updated Audit Protocol; and (iv) preparing staff in the event of an audit. Time is of the essence when it comes to preparedness as providers will have limited time to respond to OCR’s audit requests once identified as an auditee. Moreover, providers can expect to be the target of a separate compliance review if violations are uncovered during an audit. This is especially true since the Office of Inspector General issued its September 2015 report criticizing the OCR’s oversight efforts over covered entities, as mentioned in our previous blog post, Are You Prepared for the HIPAA Phase 2 Audits?.