OCR Releases HIPAA Audit Guidance

The Office for Civil Rights (OCR) released HIPAA phase two guidance July 27. The guidance, a document linking specific audit protocols with document submission requests, included the slide deck from a July 13 webinar for covered entities (CE) selected for desk audits, and a list of questions and answered asked during the webinar and via email.

CEs selected for desk audits were notified July 11 and requested documents were due July 22. Audited CEs will have the opportunity to review the audit report before it is submitted and attach comments. Although the most active phase of the desk audits is over for CEs, the documents released July 27 can also be used by business associates (BA). Desk audits of BAs will begin in the fall and OCR will apply the same expectations and requirements as it during the CE portion.

The HIPAA Audit Program is not intended to be punitive and is primarily focused on identifying common HIPAA vulnerabilities. OCR will use this information to create education and tools to help CEs and BAs comply with HIPAA and to refine the final audit protocols. However, if auditors find significant security threats to protected health information, OCR may choose to open an investigation.