Thursday, June 11, 2015

Phase 2 HIPAA Audits Launched by OCR

OCR Launches Phase 2 HIPAA Audit Program


The U.S. Department of Health and Human Services Office for Civil Rights has sent pre-audit screening surveys to covered entities (CE) and their business associates (BA) that could be selected to participate in Phase 2 of the HIPAA audit program, OCR has confirmed.

In an emailed statement, OCR said it has started verifying contact information for covered entities. “Additional information about the audit program is forthcoming,” the statement said. “Check our website for updates.”

The HITECH Act of 2009 first called on OCR to conduct periodic HIPAA audits to ensure CEs and BAs were following Privacy, Security, and Breach Notification Rules, amid a regulatory push for greater use of health IT and national standards for security and privacy. It was a recognition that new technologies can also pose increased risk to consumer privacy.

OCR conducted and evaluated the HIPAA pilot audits between 2011 and 2013, measuring the efforts of 115 CEs at complying with HIPAA standards. The process to finalize procedures for Phase 2 of the audits dragged on due to various delays until a pre-audit survey was approved by the Office of Management and Budget on March 13, 2015 for distribution to 500 CEs and 200 BAs.

The survey was then mailed out in mid-May. The intent of the pre-audit survey is to collect information to help OCR identify a broad range of organizations that are suitable for HIPAA audits. It looks at such things as size, complexity, operations, use of EHR, revenue, and how BAs handle PHI. A smaller sample of the survey group will then be selected for the audits that were originally slated to begin in the fall of 2014.

This past March, OCR Director Jocelyn Samuels confirmed the audit procedures were still being finalized, but would begin soon, presumably sometime in 2015. Audits for BAs should begin after CE audits are underway.

Questions still remain on the actual protocol or criteria OCR will use for the Phase 2 audit. The agency hasn’t shed any light yet on whether this protocol will be different than in the pilot audit. However, one difference in the process is that OCR expects to use desk-based assessments, meaning the agency will not conduct on-site audits unless resources are available.

Even though there are no firm dates yet, CEs and BAs should begin preparing for a possible audit. Visit the OCR audit program website for official updates.


(HCPro website, FierceMarkets website)