HIPAA audits

Q. OCR has said that the comprehensive HIPAA audits will occur in 2017. We received a pre-audit letter as a CE but were not audited as part of the CE round of phase two desk audits. What is included in the comprehensive audits, and is there a chance we will be audited?

A. At this time, little is known about what will be examined as part of the comprehensive HPAA audits.  OCR indicated at the AHIMA Privacy and Security Institute on October 16 that it will release more detailed information about what will be covered as part of the comprehensive audits soon. 

OCR indicated that it expects to kick off the comprehensive audits in early 2017. OCR will be using the same pool it drew from to select CEs and BAs for the comprehensive audit. For BAs, that pool is limited to only the BAs that were reported to OCR by CEs during round one of the phase two desk audits Per OCR, CEs who received pre-audit letters and were not audited, CEs who were audited, and CEs who did not receive a pre-audit letter have an equal chance to be selected for the comprehensive audits. BAs who were selected for a desk audit and those that were not also have an equal chance of being selected for a comprehensive audit in 2017.

Editor's note: This question was answered by Chris Apgar, CISSP, for Briefings on HIPAA. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.