- The Office of Civil Rights (OCR) has announced Phase 2 of its HIPAA audits, according to a public announcement.
The agency, which is a part of the Department of Health & Human Services, will be conducting these audits in an effort to keep covered entities accountable and compliant in HIPAA security protocol. By auditing a pool of covered entities and business associates, OCR hopes to ensure that HIPAA policies are being adhered to.
“Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews,” OCR explained. “These tools enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).”
This second phase of the OCR HIPAA audit process will assess the policies and strategies that covered entities and business associates have adopted in an effort to remain HIPAA compliant.
In a question and answer document published by OCR, the agency explains several key aspects of the audit process, including which kinds of entities will be included in the audit and how the process will work.
The audit process will consist of three phases, including a small desk audit and then a more in-depth desk audit. The in-depth desk audit will examine compliance with the various HIPAA security, privacy, and breach notification rules. The final phase will include a more general audit examining broad HIPAA compliance across all aspects of the healthcare organization.
Using the data gathered from the audits, OCR will determine its best course of action to help entities better adhere to HIPAA rules and develop better strategies.
“The aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules,” OCR said. “Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful.”
Although HIPAA audits are intended to be improvement-oriented with the end goal of creating better protocols to help entities adhere to HIPAA, there are some incidences in which an entity presents a glaring issue with security.
In these events, OCR may investigate further, but it does not plan on publishing individual audit information publically. That said, the agency does maintain that under the Freedom of Information Act (FOIA), it may need to release audit notification letters should the public ask for them.
OCR will select its audit pool in the coming months, ideally creating a pool that is representative of the healthcare landscape, including various different providers, health plans, healthcare clearinghouses, and business associates.
“By looking at a broad spectrum of audit candidates, OCR can better assess HIPAA compliance across the industry – factoring in size, types and operations of potential auditees,” the agency explained. “Sampling criteria for auditee selection will include size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR.”
The audit process will begin with OCR contacting its auditees for confirmation of contact and other information. The process will then consist of a back and forth of information exchange, with OCR sharing audit results with auditees as it continues with the process. In the end, OCR says it will use all of its audit data to create a better understanding of HIPAA compliance efforts and develop better industry protocol.
“OCR’s audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits,” OCR stated. “Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches. We will evaluate the results and procedures used in our phase 2 audits to develop our permanent audit program.”