On the Horizon – HIPAA OCR Phase 2 Audits

This year was the 24th annual HIPAA Summit in Washington, D.C. and it featured some of the most preeminent leaders in the field, including both private and public individuals.

On day two of the conference, March 22, the Director of the Office of Civil Rights, Jocelyn Samuels Esq., made the announcement that Phase 2 of the HIPAA OCR audits was beginning. In fact, she said that by the time this talk was over, those entities that have been chosen to be a part of the audit selection pool would begin receiving notices.

True to her word, emails immediately began to hit inboxes with the title: “OCR HIPAA Audit – Entity Screening Questionnaire.” In an effort to ensure full disclosure, the author received just such an email as part of his role as Privacy Officer.

Here is a sample copy of the email:

These emails gave the recipient 30 days to respond to a pre-audit questionnaire, and then the waiting game begins. If you would like to see the types of questions being asked in the pre-audit questionnaire, see here.

If the entity is selected, they will have 10 days to respond to the audit questions and provide the necessary documentation. Ultimately, the OCR will perform a total of 200 audits broken into 2 phases.

Under the first phase, approximately 150 covered entities will be audited, with the large majority being “desk audits” of a specific content area:

  • Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures
  • Security Rule requirements for administrative, physical, and technical safeguards
  • Requirements for the Breach Notification Rule

The desk audits will quite literally be an OCR review at the desk of an auditor of the materials, policies, procedures, and documentation that you mailed in response to their questions. The focus of these desk audits will be narrow and specifically driven at the policies and procedures of a specific content area listed above.

For now, it appears that desk audits will be limited to one of the bulleted areas above. The timing of the audits will be narrow, with most audit results being delivered back to the auditee within 30 days of receipt.

In addition to these desk audits, a small percentage of the first round covered entities will be selected for on-site audits, a far more rigorous and in-depth experience that will include the physical presence of OCR auditors at the work site(s) for a period of 3-5 days. These audits will likely include multiple content areas, if not all.

After the on-site presence, the entity will receive a list of questions it must then answer within 10 days, providing the requested comments, materials, policies, procedures and documentation. As with the desk audits, the entity will then receive notice of the outcome of the audit within 30 days.

After the first round of audits is complete, the OCR will then move on to audit approximately 50 business associates that were identified by the covered entities in Phase 1. These audits will proceed in much the same way as the desk and on-site audits: notification letters will go out and auditees will then have a certain amount of time to respond to the questions.

Fortunately for us, the OCR is transparent as what they will be requiring and looking for in these audits – the audit protocol is an easy-to-use 420-page document found here. That said, if you are chosen and this document is daunting (it is quite daunting), another option is to run through the NIST SP 800 tool I previously reviewed. This tool matches up and automates the questions you will need to answer for the audit and was developed in conjunction with NIST and the OCR.

If you have not received notice of your selection to be in the audit pool, never fear. The notices will continue to be sent out on an ongoing basis until the OCR obtains a satisfactory pool of entities it wants to audit.


“Don’t Panic” ~Douglas Adams

Seriously, don’t panic. This is not a punitive audit, it is a compliance improvement audit aimed at getting a good barometer reading on the current state of HIPAA compliance in the industry.

The process is designed to help the OCR identify gaps and develop resources that can assist entities in working towards HIPAA compliance. As evidenced by the newly redesigned and launched OCR website, there appears to be a real commitment to simplifying HIPAA compliance and empowering individuals and covered entities alike.

The good news is that this is not the first time the OCR has performed audits, and all signs point to a similar audit process to what we saw in 2012. Thankfully, the OCR is transparent about how these audits worked and there is plenty of official material on what happened, when it happened, who it happened to, and the results of Phase 1 Audits, found here.

But seriously, don’t panic.

Via: tripwire

Save pagePDF pageEmail pagePrint page

Leave a Reply

Your email address will not be published. Required fields are marked *