Phase Two HIPAA Audits Underway
The Office for Civil Rights’ (OCR) phase two HIPAA audits officially began last week when the agency sent more than 160 covered entities (CE) audit notification letters. Phase two was launched in March and the updated phase two audit protocols were released in April.
On July 11, letters were sent via email to 167 CEs informing them they have been selected for desk audits. CEs were sent two emails: a notification letter providing instructions for responding to the document request and a second email requesting a list of the CE’s business associates (BA). CEs will be audited for compliance with certain aspects of either the Privacy Rule, Security Rule, or Breach Notification Rule. Each audit area will require documentation to support only specific limited aspects of compliance. The audit areas will be:
- Privacy Rule: Notice of privacy practices and content requirements; provision of notice—electronic notice; right to access
- Security Rule: Security management process—risk analysis and risk management
- Breach Notification Rule: Timeliness of notification and content of notification
CEs have until July 22 to respond. Although CEs must still take care to compile correct and complete documentation and pay close attention to the deadline, the document requests appear to be much simpler and more straightforward than some expected after the release of the audit protocols.
OCR’s audit emails also contained information about a July 13 webinar on the desk audit process. The webinar included a Q&A session which helped answer some additional questions about the audits.
“Personally, and I think others attending the webinar may also have felt the same way, I was encouraged by the mention that findings of the audit will not result in a requirement for the entity to submit a corrective action plan to HHS,” said Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona.
Reece Hirsch, Esq., a partner at Morgan Lewis in San Francisco, agrees that there was encouraging information for CEs in the webinar. “As stated during the webinar, the focus is on gathering information about compliance practices to develop further legislation around HIPAA guidance and refine the audit program going forward. This isn’t intended to be punitive.” However, Hirsch cautions that CEs should keep in mind that if OCR’s auditors find evidence of significant threats to the privacy or security of protected health information (PHI) the agency may investigate the CE.
Although the document requests are relatively simple, Hirsch says some larger CEs may find it challenging to compile a complete and accurate list of their BAs by July 22.
During the webinar, OCR confirmed that the audit findings will not be made public, but most audit findings will likely be obtainable through a Freedom of Information Act (FOIA) request, Hirsch says. This may mean that PHI would be disclosed to someone requesting the information under FOIA. A webinar attendee asked Devan McGraw, OCR deputy director of health information privacy, if risk analysis and risk management documents would be exempt from FOIA requests, but McGraw was not able to give a definitive reply.
CEs must submit documents through a special web portal. The link to the web portal is included in the email OCR sent to audited CEs. There is currently no information about whether the web portal has a file size limit and, if so, what that limit might be. Chris Apgar, CISSP, CEO of Apgar and Associates, LLC, in Portland, Oregon, asked OCR about the portal’s file size limits. OCR’s audit team manager replied that she received his question but has not yet had time to answer.
A total of 200 entities will be subject to desk audits during phase two: 167 of these are CEs and BA audits will make up the remaining 33. BA audits are expected to begin in the fall. This will be the first time BAs are audited under the HIPAA audit program. OCR will apply the same rules and expectation to BA and CE audits. The third set of audits will be comprehensive onsite audits of both BAs and CEs. Onsite audits will likely begin in early 2017.