The Office for Civil Rights (OCR) at the Department of Health and Human Services kicked off Phase 2 of its Health Insurance Portability and Accountability Act (HIPAA) Audit Program in March 2016. The Phase 2 Audit Program is intended to review compliance of covered entities and their business associates with HIPAA privacy, security, and breach-notification regulations. Pharmacies, among a host of other healthcare providers, health plans, clearinghouses, and business associates, are subject to possible audit in Phase 2.
OCR piloted Phase 1 of its HIPAA Audit Program in 2011, evaluating more than 100 covered entities for compliance. These audits marked OCR’s initial effort to gather information on covered entities.
Phase 1 was largely viewed by stakeholders as a “soft” approach toward compliance, intended to determine the level of technical implementation needed and the types of corrective action that a covered entity should develop. However, subsequent to Phase 1, there have been a flurry of enforcement actions taken by OCR against various healthcare entities for HIPAA violations.
The genesis of the audit program stems from The Health Information Technology for Economic and Clinical Health (HITECH) Act, which is an amendment to the original HIPAA statute. Essentially, HITECH requires OCR to undertake periodic audits of covered entities and business associates to determine their HIPAA compliance.
While OCR is set to begin its Phase 2 Audit Program, it is already sending communications to potential audit candidates. Verification of entities to be audited, as well as a preliminary question list, will be sent to those entities selected for Phase 2. From the preliminary pool of potential candidates and the questions answered, OCR will then choose the final list of entities that will participate in the Phase 2 Audit Program. Notably, ignoring the initial question list sent will not prevent an entity from being chosen for the final audit pool.
Phase 2 audits are likely to be both desk and onsite audits for covered entities and their business associates who provide services for those audited covered entities. In the first round of the Phase 2 audits, covered entities should expect desk audits, followed by desk audits of business associates. Once this has been completed, some of the audited entities will be selected for an onsite audit.
At the onset of the desk audit, OCR will request various documents and supporting materials that give evidence of compliance with HIPAA. At that time, the responding entity will have 10 days to provide the necessary information.
Subsequent to the response from the audited entity, OCR will review the requested documentation and send a response to the subject entity. At that time, the audited entity will review OCR’s findings and have 10 days to respond to the governmental findings.
If an entity is chosen for an onsite audit, a date will be scheduled and the entity will be instructed about the format and the additional information that OCR will seek. The onsite audits may last up to one week. As with the desk audits, an entity undergoing an onsite audit will have 10 days to respond to OCR’s findings if it so chooses.
If the Phase 2 audits uncover serious compliance concerns, the audited entity may undergo more rigorous compliance reviews that could ultimately lead to discipline levied by the government. This could include remediation requirements and monetary penalties.