OCR Launches Phase 2 of HIPAA Audit Program

As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates.

In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These audits will primarily be desk audits, although some on-site audits will be conducted.

The 2016 audit process begins with verification of an entity’s address and contact information. An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner. OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.

The OCR’s detailed audit protcol is available here.

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool. Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.

To learn more about OCR’s Phase 2 Audit program, click on one of the links below:

When Will the Next Round of Audits Commence?

Who Will Be Audited?

On What Basis Will Auditees Be Selected?

How Will the Selection Process Work?

How Will the Audit Program Work?

What if an Entity Doesn’t Respond to OCR’s Requests for Information?

What is the General Timeline for an Audit?

What Happens After an Audit?

How Will Consumers Be Affected?

Will Audits Differ Depending on the Size and Type of Participants?

Will Auditors Look at State-Specific Privacy and Security Rules in Addition to HIPAA’s Privacy, Security, and Breach Notification Rules?

Who is Responsible for Paying the On-Site Auditors?

Author: Erwin Kratz

Erwin Kratz practices exclusively in the areas of ERISA and employee benefits law, focusing on tax and regulatory matters relating to qualified and nonqualified deferred compensation and welfare benefits.