- The Office for Civil Rights (OCR) officially launched phase two of its HIPAA audit program earlier this week, sending out notification letters to selected covered entities.
The letters were sent out on July 11, according to an OCR email, with 167 covered entities selected for the desk audit portion of the program. The desk audits will review how healthcare organizations are adhering to the HIPAA Privacy, Security, and Breach Notification Rules.
For example, OCR will review how selected entities follow the notice of privacy practices and content requirements, patient right to access, and the provision of electronic notice.
“OCR selected these provisions for focus during the desk audits because our pilot audits, as well as our enforcement activities, have surfaced these provisions as frequent areas of noncompliance,” OCR explained.
For the Breach Notification Rule, OCR plans to investigate how organizations handle the timeliness of notification and the content of the notification.
In terms of the HIPAA Security Rule, covered entities will be reviewed on their security management process in terms of both risk analysis and risk management.
“OCR’s audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits,” the agency explained on its website. “Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.”
Covered entities should carefully monitor their spam folders as well, OCR cautioned in its email. Selected healthcare organizations will receive two emails from OCR. The first explains how to properly respond to the desk audit request, including the necessary timeline for response.
The second email will request a list of the covered entities’ business associates, as well as information about an upcoming webinar that will further explain the desk audit process.
OCR also reminded covered entities that they will have 10 business days to respond to the document request. Selected business associates will receive their own notification about desk audits in the fall, the agency said.
The OCR HIPAA audit program has been in the works for some time, and healthcare organizations have anxiously been awaiting the next phase in the process.
The audit process consists of three phases. As previously mentioned, the in-depth desk audit examines compliance with the HIPAA Security, Privacy, and Breach Notification Rules. The final phase includes a more general audit reviewing broad HIPAA compliance across the entire organization.
“By looking at a broad spectrum of audit candidates, OCR can better assess HIPAA compliance across the industry – factoring in size, types and operations of potential auditees,” OCR said on its website. “Sampling criteria for auditee selection will include size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR.”
Several healthcare experts have frequently underlined the fact that the OCR HIPAA audits are not meant to be a “gotchya” moment to covered entities.
The majority of healthcare organizations should already have the necessary policies and procedures in place, Foley & Lardner LLP intellectual property lawyer Aaron Tantleff told HealthITSecurity.com in April 2016.
“You also have to have done and performed a risk assessment to identify an organization's strengths and weaknesses,” Tantleff said. “Especially on the weaknesses side, you need to make sure that you've identified those areas that require remediation, and that you have a plan to address them.”
Colin Zick, co-founder of Foley Hoag LLP’s Privacy & Data Security Practice, said Phase 2 should not be a cause for panic, and that organizations should not be overly concerned if they are already taking the necessary steps to be HIPAA compliant.
“This is as much an exercise in the brand of your institution as it is anything else,” Zick said. “Yes, it’s a legal compliance. But, you want to be compliant with these things because it’s the right thing to do.”