July 12, 2016
OCR’s Phase Two HIPAA Audits Have Begun
Phase Two of OCR’s HIPAA audit program, which officially began a couple of months ago, has officially kicked into high gear. Selected covered entities have now received notification letters regarding their inclusion in the desk audit portion of the audit program. Letters were delivered on Monday, July 11, 2016 via email to 167 health plans, health care providers and health care clearinghouses (covered entities). The desk audits will examine the selected entities’ compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules.
The desk audits are focused examinations of documentation of entity compliance with certain requirements of the HIPAA Rules (see table below). OCR selected these provisions for focus during the desk audits because our pilot audits, as well as our enforcement activities, have surfaced these provisions as frequent areas of noncompliance. Entities received two email communications, which were sent to the contact information confirmed by the entity during the pre-audit phase of the program. Nevertheless, these emails may be incorrectly classified as spam in the recipient’s email service. Covered entities should monitor their spam filtering and junk mail folders for emails from OSOCRAudit@hhs.gov. One e-mail includes a notification letter providing instructions for responding to the desk audit document request, the timeline for response, and a unique link for each organization to submit documents via OCR’s secure online portal. A second email contains an additional request to provide a listing of the entity’s business associates and also provides information about an upcoming webinar, where OCR will explain the desk audit process for auditees and take their questions. Entities have 10 business days, until July 22, 2016, to respond to the document requests. Desk audits of business associates will follow this fall.
For more information, see http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.
Requirements Selected for Desk Audit Review
|Privacy Rule||Notice of Privacy Practices & Content Requirements [§164.520(a)(1) & (b)(1)]|
|Provision of Notice – Electronic Notice [§164.520(c)(3)]|
|Right to Access [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]|
|Breach Notification Rule||Timeliness of Notification [§164.404(b)]|
|Content of Notification [§164.404(c)(1)]|
|Security Rule||Security Management Process — Risk Analysis [§164.308(a)(1)(ii)(A)]|
|Security Management Process — Risk Management [§164.308(a)(1)(ii)(B)]|