The Department of Health and Human Services (HHS) announced that it has launched the second phase of its HIPAA audit program, which focuses on compliance with HIPAA’s Privacy, Security and Breach Notification Rules.
Drawing on its experience from the pilot audit program, OCR is implementing the second phase of its HIPAA audit program, which covers both covered entities and business associates. As part of this program, OCR is developing enhanced protocols (sets of instructions) to be used in the next round of audits and pursuing a new strategy to test the effectiveness of desk audits in evaluating HIPAA compliance.
An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.
HHS’ Office for Civil Rights (OCR) has already started sending emails to covered entities and business associates to verify their contact information. Next, OCR will send a pre-audit questionnaire to gather data about potential auditees. OCR will use this data to select covered entities and business associates for audits. OCR will post updated audit protocols on its website closer to conducting the 2016 audits. The audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities.
According to OCR, these HIPAA audits are primarily a compliance improvement activity. However, if an audit reveals a serious compliance issue, OCR may initiate a compliance review to investigate.
Action Steps
To prepare for a possible HIPAA audit, covered entities and business associates should review their compliance with HIPAA’s Privacy, Security and Breach Notification Rules.
For more information on HIPAA or Compliance audits please contact our Compliance Department.