Health Care Law Blog Banner

Health Care Law Blog

OCR Begins Phase 2 Audit Program of Covered Entities and Business Associates
Posted by:

AuditThe U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced that it has begun Phase 2 of its HIPAA audit program. This audit phase will impact covered entities and their business associates.

The purpose of the Phase 2 audit program is to allow OCR to review the policies and procedures of covered entities and business associates to meet selected standards and implementation specifications of the HIPAA privacy, security, and breach notification rules (HIPAA Rules). OCR has indicated that it will utilize the Phase 2 audit findings to identify technical assistance it should develop for covered entities and business associates. To the extent an audit reveals a serious compliance issue, OCR may conduct a compliance review that could lead to civil monetary penalties.

The Audit Process                                     

OCR is randomly contacting covered entities and business associates that represent a wide range of healthcare providers, health plans, healthcare clearinghouses and business associates to obtain information. Once OCR obtains contact information for covered entities, it will require completion of a questionnaire that asks about the covered entity’s operations and arrangements with business associates. Communications from OCR will be sent via email.

Auditees will be chosen through random sampling of the audit pool for participation in either a desk or an onsite audit. In terms of timing, covered entities who are selected for a desk audit must submit requested information within 10 business days of the information request. All documents are to be submitted digitally through the OCR's online portal. Auditees will be provided with draft findings and will have 10 business days to review and return such findings with comments. The auditor will then prepare a report within 30 business days of receiving comments.

Onsite audits, which will be more comprehensive than desk audits, will be conducted over a three to five day period at the auditee’s location. Like with desk audits, auditees will be provided with draft findings and will have 10 business days to review and return them with comments. The auditor will then prepare a report within 30 business days of receiving comments.

Now is the Time to Prepare and Assess Risks

Covered entities and business associates should take the appropriate steps to prepare for the possibility of a Phase 2 audit. It's not just a smart legal and business practice to evaluate whether your organization is safeguarding protected information, it's required by HIPAA. 

In order to fulfill these requirements, all entities subject to HIPAA's Security Rule must run a risk assessment. Additionally, covered entities and business associates should review their HIPAA privacy policies and procedures to ensure that they are up-to-date with recent legal changes. Finally, covered entities and business associates should monitor their operations for purposes of HIPAA compliance.

For help completing your risk assessment, drafting policies based on your assessment and/or preparing for a Phase 2 audit, please contact Mindi M. Johnson.

Authors

Categories

Recent Posts

Jump to Page

Foster Swift Collins & Smith PC Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek