OCR Announces Next Round of HIPAA Audits

The second round of desk audits in the HIPAA audit program began this week, the Office for Civil Rights (OCR) announced in a November 30 email alert. This round of desk audits focuses on business associates (BA). Desk audits of covered entities (CE) were conducted in July. The third round of HIPAA audits, tentatively set to occur early in 2017, will consist of comprehensive onsite audits of CEs and BAs.

Phase two of the HIPAA audit program was announced in March, and a set of updated audit protocols was released in April. Although the comprehensive onsite audits will cover all elements in the protocol, desk audits of BAs will look at two targets:

• Security: risk analysis and risk management
• Breach notification: breach reporting to CEs and content of notices

This marks the first time BAs have been part of the HIPAA audit program and there will likely be surprises for both audited entities and OCR.

“I think the desk audits of BAs will be very significant because this marks the first time that OCR has had the opportunity to assess the state of BAs’ compliance with HIPAA,” says Reece Hirsch, Esq., a partner at Morgan, Lewis and Bockius, LLP, in San Francisco. “While the sample size is relatively small, the findings will most likely form the basis for future OCR industry guidance and enforcement priorities.”

Audit notification letters were sent via email, but in an unfortunate coincidence, they came at a time when many BAs are likely wary of emails purporting to be from OCR. On November 28, OCR alerted CEs and BAs to a phishing scam disguised as an official OCR audit communication. Individuals who have received a phishing email or who are not certain whether an email from OCR is an official email should contact OCR at OSOCRAudit@hhs.gov. The phishing email’s from address is OSOCRAudit@hhs-gov.us and directs individuals to follow a link to www.hhs-gov.us.

In fact, the primary focus of the November 30 email was an update on the phishing scam with the announcement of the BA audits at the bottom of the message. This may cause confusion among BAs and cost them valuable time. OCR previously warned CEs and BAs that official audit communications may land in spam folders and the recent phishing scam could make some think twice before opening these emails. Audited entities have 10 days to submit requested documentation and OCR’s clock starts ticking when the emails are sent—not when they’re read.

“I think OCR could have been more clear and not buried the BA audit message in an email about phishing,” says Chris Apgar, CISSP, president of Apgar and Associates LLC, in Portland, Oregon.

The announcement wasn’t unexpected, Apgar adds, although it came later than many expected it would. OCR originally planned to conduct desk audits of BAs in the fall and will just hit that deadline. However, conducting the audit is only the first step of the process. Auditors will then prepare draft audit reports for each entity. The draft reports will be sent to the entities and they will be allowed to attach comments. The comments will be attached to the final audit report submitted to OCR. But audited CEs have yet to see their draft reports.

“What is of note is OCR is late on returning draft audit reports to CEs that were a part of the desk audit,” Apgar says. “As of last week our client who was audited had yet to receive the draft report back from OCR for review.”