In March, we reported that OCR had announced its Phase 2 Audit Program. OCR stated that they would compile a database of both Covered Entities and Business Associates to form the basis of the pool of organizations potentially targeted for audit. They have followed up on their intentions and in the last week covered entities have started to receive contact emails from OCR.
The first email that an organization receives will look exactly like this. Business Associates could receive more than one email, as they could have relationships with more than one Covered Entity. If you receive this email, you have 14 days to respond. If you are the proper contact, you should respond as directed in the affirmative by clicking YES. If not, click NO and follow the instructions.
If you respond YES, within a few hours, you will get an email that looks like this. The highlights include:
If you do not respond to the email, OCR has other methods to identify your organization. Do not expect to be excluded from the audit pool database for not replying to the email.
OCR will be auditing Covered Entities first, according to Deven McGraw, Deputy Director of Health Information Privacy at HHS/OCR. In an interview with Healthcare Info Security she stated, “We will definitely be selecting the Covered Entities and begin to audit them first because our current database of Business Associates is not robust enough. And so we will need to rely on Covered Entities who are selected for audit to provide us with information on their Business Associates so that we can go through the same process of verifying contact information and forming more robust Business Associate pools – and pick Business Associate auditees from there.”
Once organizations complete the screening questionnaire it needs to be well understood that they could be randomly selected for an audit AT ANY TIME. If you are selected for an audit, you will have only 10 business days to submit the requested documentation. Therefore we recommend that organizations ensure that their HIPAA documentation is thorough and complete before answering the questionnaire.
It is expected that most of the audits will be desk audits, in which communications and documentation will be remote as opposed to in-person/onsite. Although OCR does not explicitly say what documentation would be requested, their letter states they will “conduct a focused desk audit to review documentation of evidence of your compliance with selected provisions of the Rules” and “The audit protocols, which contain criteria the auditors will use, will be available here”. The audit protocol is quite detailed. It has been called “dense” by Health Info Security. It is not clear how OCR will apply the audit protocol to different entities based on organization type or size, if at all. In their letter they have left themselves flexibility.
Our advice: Forewarned is Forearmed. If your HIPAA documentation is not in order today, you need to take action to correct this immediately. Although chances of being selected for an audit are low, if you are selected, you have to be prepared to submit documentation in a timely manner. Other government programs (Meaningful Use, MACRA, PCMH) also require HIPAA compliance as a condition of participation.
Fill In The Form Below for industry news, and information about our services, events, webinars and more.