OCR Surveying Covered Entities for Participation in HIPAA Audit Program

April 5, 2016 David Holtzman

HHS OCR HIPAA Audit Program

The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is moving steadily forward to auditing covered entities and business associates. In the last few days the agency has distributed surveys to identify covered entities that will make up a pool of potential audit targets, released a new audit protocol substantially expanding the scope and criteria of what is subject to review, and described how it will collect information about business associates from covered entities. The information on business associates will be used as the basis for identifying contractors and vendors to covered entities who will be audited by December 2016 as part of the HIPAA audit program.

OCR has begun sending pre-audit screening questionnaires to approximately 1,200 covered entities. The questionnaire asks covered entities to supply information concerning the size of the entity, affiliation with other covered entities, types and operations of the organization, and present enforcement activity with OCR. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.

HIPAA Audit Program Selection Process

Approximately 200 covered entities will be selected for the HIPAA audit program on a rolling basis throughout the remainder of 2016. If a covered entity is selected for audit they will be asked to provide information about its business associates. OCR will notify the selected covered entities in writing through email about their selection for a desk audit. The OCR notification letter will introduce the audit team, explain the audit process and discuss OCR’s expectations in more detail. In addition, the letter will include initial requests for documentation. OCR expects covered entities that are the subject of an audit to submit requested information within 10 business days of the date on the information request. All documents are to be in digital form and submitted electronically via the secure online portal. OCR will also ask covered entities to prepare a list of each business associate with contact information. The agency has developed a template to use in listing business associates.

Business associates will be selected for desk audits in the same fashion as covered entities. While conducting desk audits of covered entities, OCR will replicate the notification and document request process for initiating desk audits of selected business associates.

Similarly, entities will be notified via email of their selection for an on-site audit. The auditors will schedule an entrance conference and provide more information about the on-site audit process and expectations for the audit. Each on-site audit will be conducted over three to five days on-site, depending on the size of the entity. On-site audits will be more comprehensive than desk audits and cover a wider range of requirements from the HIPAA Rules.

The agency also debuted a new audit protocol that represents a significant change in scope and approach from the 2012 HIPAA Pilot Audit Program. OCR boosted its approach to testing compliance with the HIPAA rules through developing an audit design that looks at each standard and implementation specification in each rule and assigning an audit inquiry to measure compliance.

How to Prepare

Healthcare provider practices, health plan administrators and business associates should prepare now so they are ready if selected for a desk audit:

  • Review OCR’s audit protocol as well as the HIPAA and HITECH regulations
  • Make sure you have the latest guidelines, policies, and procedures in place
  • Ensure you have access to all required audit documentation and clearly understand the submission process
  • Consider conducting a mock audit (either by internal staff or by a third-party specialist) to make sure you’re prepared for the real thing

If you would like to learn more about CynergisTek’s mock audit services or additional ways to prepare for the HIPAA audit program, email us at info@cynergistek.com.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter
Previous Article
HIPAA Compliance and Enforcement
HIPAA Compliance and Enforcement

An infographic that highlights data on both OCR's HIPAA audits and their enforcement activities in 2015 & 2...

Next Article
OCR Phase 2 Audit Program Underway
OCR Phase 2 Audit Program Underway

The US Department of Health and Human Services, Office for Civil Rights (OCR) announced Monday that it has ...