OCR Phase 2 Audit Program Underway

March 22, 2016 David Holtzman

The US Department of Health and Human Services, Office for Civil Rights (OCR) announced Monday that it has started Phase 2 of the HIPAA Audit Program that will lead to hundreds of reviews of covered entities and business associates.

Over the next seven months OCR will be conducting limited scope desk audits of about 200 covered entities (CE) and business associates (BA). The agency said that it will also perform 24 on-site, comprehensive audits. According to OCR, most of the CE audits will be “desk audits,” requiring organizations to submit documentation demonstrating that they have policies and processes in place that meet HIPAA requirements. OCR will also conduct some comprehensive, on-site audits in this round of audits.

OCR’s rollout of Phase 2 of the OCR audit program is starting just as expected. OCR has sent communications via postal mail and email to identify and verify contact information of the designated privacy and security officials of HIPAA covered entities. Covered entities that have received these communications are asked to provide the information sought through an Internet portal maintained by OCR within two weeks of receipt of the request. This activity tracks with how the agency had said that it would initiate the audit program. 

Sometime in April, OCR is expected to follow with a second communication to these covered entities that they are seeking information about the types of services the organization provides, the size and complexity of the covered entity and their use of health IT. These surveys will be used by OCR to develop a diverse group of organizations for selection and participation in audits to be conducted this year.    

What OCR Will be Looking For

While OCR’s audit protocol has not been finalized, the agency has identified areas where it intends to focus its attention:

  • Privacy Rule compliance — how healthcare providers and health plans are meeting Privacy Rule requirements for notices of privacy practices and how providers are handling patient’s right to access Protected Health Information (PHI), and to receive an electronic copy    
  • Security Rule compliance — policies and procedures for risk analysis of the safeguards protecting information systems that handle e-PHI, as well as the organization’s mitigation plan to address gaps identified through the assessment
  • Breach Notification Rule compliance — whether an unauthorized use or disclosure of PHI is reportable under the Breach Notification Rule, as well as processes for making required notifications if a breach occurs

How to Prepare

Healthcare provider practices, health plan administrators and business associates should prepare now so they’re ready if they are selected for a desk audit:

  • Review OCR’s audit protocol as well as the HIPAA and HITECH regulations
  • Make sure you have the latest guidelines, policies, and procedures in place
  • Ensure you have access to all required audit documentation and clearly understand the submission process
  • Consider conducting a mock audit (either by internal staff or by a third-party specialist) to make sure you’re prepared for the real thing

OCR has posted a notice on its website regarding Phase 2 of the audits. It includes program background information, FAQs and a sample of the address verification communication. Click here to view it.

If you have any questions about the audit program or want to know more about our mock audit services contact us at info@cynergistek.com.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter
Previous Article
OCR Surveying Covered Entities for Participation in HIPAA Audit Program
OCR Surveying Covered Entities for Participation in HIPAA Audit Program

The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is moving steadily forw...

Next Article
2016 Healthcare Privacy & Security Outlook
2016 Healthcare Privacy & Security Outlook

An infographic showcasing what we predict will come to the forefront of the industry this year, including m...