The second phase of audits under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (P.L. 104-191) Audit Program will focus on the business associates (BAs) of HIPPA covered entities (CEs) as well as the CEs themselves. The HHS Office for Civil Rights (OCR) will conduct the audits to uncover vulnerabilities to protected health information and evaluate CEs’ and BAs’ policies and procedures regarding compliance with HIPAA’s Privacy, Security, and Breach Notification Rules.
Scope. The HIPAA audit process begins with entity verification, in which the OCR will request, via email, that CEs and BAs respond to the OCR with their contact information in a timely manner. The contact information request is followed by a pre-audit questionnaire regarding the type, size, and operations of an organization. The OCR uses the results of the pre-audit questionnaire to create potential audit pools. Every CE and BA is a potential candidate for an audit. The potential auditees include individual and organizational providers of health services, health plans of all sizes and functions, health care clearinghouses, and the BAs of those organizations. While the first round of program audits narrowly focused on CEs, the OCR planned the second phase of audits to widen the focus of the audit program to more significantly include BAs (see OCR Phase 2 audits to focus on specific HIPAA rules, July 17, 2015).
Audits. The OCR plans to begin with desk audits of CEs and BAs. The OCR will notify selected entities of the subject of an audit in a document request letter. Entities chosen for the audit will submit documents online through a new secure audit portal on OCR’s website. If selected, an entity will have 10 business days to respond to the OCRs information request. The OCR will then provide the entity with draft findings, which the entity will have 10 business days to respond to. Although the OCR believes there will be less in-person audits in the second round, as compared to the first phase of the audit program, entities should remain prepared for site visits because the OCR will perform an on-site visit if it deems one appropriate. The audits aid the OCR in determining what kind of assistance should be developed or what kind of corrective action is necessary to keep CEs and BAs in compliance.