May 3, 2016
On March 21, 2016, the Department of Health and Human Services, Office for Civil Rights (OCR) announced the launch of the long-awaited Phase 2 HIPAA Audit Program (Phase 2), and OCR activities related to Phase 2 are already underway. Phase 2 will consist primarily of desk audits, but will include some onsite audits, and both Covered Entities and Business Associates will be selected for audit. Shortly after its announcement, OCR released an updated protocol for Phase 2, which replaces the original protocol used in the pilot audit program and provides some insight into what the auditors will be focusing on in Phase 2. The following is a brief description of the Phase 2 audit process and what Covered Entities and Business Associates should expect. 

1. Verification of Contact Information. OCR has already sent email communications to select entities to verify contact information.

2. Audit Pre-Screening Questionnaire. OCR is in the process of sending this questionnaire to elicit information that will help OCR to target its audit efforts to a diverse spectrum of Covered Entities and Business Associates.

3. Desk Audits. After OCR selects the auditees, OCR will commence the audit process with “desk” audits and auditees will have 10 days to provide responsive documents to OCR.

4. Onsite Audits. OCR will conduct more extensive on-site audits after it has concluded the desk audits.

5. Post-Audit Findings. OCR has indicated that the primary purpose for the audits is to identify compliance issues in order to develop guidance. However, OCR may initiate compliance reviews against auditees with serious compliance issues.

Polsinelli has developed a HIPAA Audit Program to assist Covered Entities and Business Associates prepare for an OCR audit. Even if an entity is not chosen for an OCR audit, our HIPAA Audit Program is a helpful tool to mitigate risk and strengthen your compliance program in preparation for OCR investigations, which may be triggered at any time by a patient complaint or a breach. 

To view the full alert, click here

For more information on Polsinelli’s HIPAA Audit Program, click here.