HHS-OCR Launches Phase 2 of HIPAA Audits, Will Include “Business Associates”

Posted on Health Care Law News by Robert Nicholson

The United States Department of Health and Human Services Office of Civil Rights (OCR) has officially started the second phase of HIPAA Audits, which will include “Business Associates” for the first time.  When HHS-OCR previously conducted Phase 1 (the “pilot” phase) of its audits, it focused exclusively on “covered entities” such as hospitals, doctors’ offices, and health plans, and this process involved many “site visits.”  Phase 2 will differ from the pilot phase in that more audits will be conducted, but a large percentage will be “desk reviews”. These are expected to consist of a document check, and will aim to identify whether the covered entities in question have understood and applied the HIPAA Rules and Regulations. The audits will test for some of the common compliance failures that were identified during the pilot phase, and from subsequent data breach investigations the agency has conducted.  HIPAA-covered entities have now had three years since the end of the pilot audits to bring data privacy and security safeguards up to the required standards.  Current violations could therefore be seen as willful neglect, and heavy fines could be issued to those found to still be violating HIPAA regulations.

During the Phase 2 audits, covered entities will initially submit documentation via HHS-OCR’s secure online portal. The documentation, which must be submitted within ten days of the initial request, will help HHS-OCR auditors examine the entities’ compliance with specific requirements of the HIPAA Privacy, Security or Breach Notification Rules.  Following these initial audits, HHS-OCR plans to conduct desk audits of business associates.  After the desk audits have been completed, some covered entities and business associates may be selected for onsite audits that will be conducted over a three to five day period and will examine a broader scope of HIPAA requirements.  HHS-OCR has stated that the desk audits will be completed by the end of December 2016, but has not determined a completion date for the onsite audits since they are contingent upon the results of the desk audits.

The Florida Health Law Firm of Nicholson & Eastin, LLP assists health care providers and their business associates with HIPAA compliance, breach notification and audit responses. If you have concerns regarding HIPAA compliance or are selected for a HIPAA audit, please contact us for a consultation.