Last week the U.S. Department of Health and Human Services Office for Civil Rights (OCR) launched Phase 2 of its HIPAA compliance audits, and this time around every covered entity and business associate, no matter its size or function, is eligible for an audit. Check your spam folders: OCR has started sending initial emails to verify contact information for potential auditees, and organizations only have fourteen days to respond to the OCR’s information request (click here to view a sample OCR email). Failure to respond may result in OCR using publicly available information about your organization to create its audit pool.
Receiving an email at this stage does not mean OCR has selected your organization for an audit, but from the responses it receives OCR will create a pool of organizations for Phase 2 audits. These audits will target implemented policies and procedures, likely with a sharp focus on business associate agreements. The first set of audits will be desk audits for covered entities, followed by a second set of desk audits for business associates. If your organization is selected for a desk audit, you will be notified by email and must submit the requested information to OCR within ten business days of the notification. A third set of audits will be conducted onsite and will cover a broader scope of requirements from the HIPAA rules than desk audits. It is anticipated that the results of a desk audit may trigger a subsequent onsite audit and potential investigations if deficiencies are uncovered.
How to Prepare
Due to the tight deadlines imposed by OCR, we recommend that you take the steps below to prepare yourself for a potential audit:
- Check your spam and junk folder. Determine the person or persons at your organization OCR is most likely to identify as the “primary contact,” and notify them to diligently monitor for OCR communication. OCR audit-related emails will be sent from OSOCRAudit@hhs.gov, and OCR expects you to check your spam and junk mail folders for its emails.
- Prepare a list of your business associates. In the pre-audit screening process, OCR will ask for a list of business associates. OCR encourages covered entities to prepare a list in advance for responding to this request. Ensure their contact information is up to date.
- Review the Phase 1 audit protocol. OCR has not yet posted updated audit protocols for Phase 2, but the Phase 1 audit protocol remains available here. Working through the protocol is a good way to evaluate your current level of compliance.
- Prepare your audit response team. Identify and assemble an audit team who can quickly respond to information requests and gather the documents OCR will likely request should you be selected for an audit.
- Be alert for potential scams. Be careful when opening purported communication from OCR, as there is always the potential for phishing and malware attacks under guise of such communications.
Further information about the Phase 2 audit process is available on OCR’s website. If you have any questions about the Phase 2 audit process or HIPAA compliance generally, please contact Norbert F. Kugele (616.752.2186 or nkugele@wnj.com), Kelly Hollingsworth (616.752.2714 or khollingsworth@wnj.com), or any other member of the Data Solutions Practice Group at Warner Norcross & Judd LLP.