The second round of Health Insurance Portability and Accountability Act (HIPAAA) audits have been officially announced by the Office for Civil Rights (OCR).
The OCR is a branch of the Department of Health and Human Services (HHS) that is responsible for enforcing HIPAA. Each year, it conducts audits of select covered entities to ensure they comply with HIPAA. Violations – even without willful intent – may result in corrective action and/or disciplinary action taken.
Phase 1 of HIPAA audits were conducted last year, so it was only a matter of time before the OCR launched its second phrase – and it appears that time is now. In a public statement, the OCR announced that it was beginning the second phrase of HIPAA audits.
“Phase Two of OCR’s HIPAA audit program is currently underway. OCR has begun to obtain and verify contact information to identify covered entities and business associates of various types and determine which are appropriate to be included in potential auditee pools,” wrote the OCR in its announcement of phase 2 audits.
So, what can healthcare practitioners and other covered entities expect with the second round of HIPAA audits? Like previous phrase 2 audits, the OCR will use this time to review the policies and procedures of both covered entities and their respective business associates to ensure they meet the standards and specifications of the Privacy, Security and Breach Notification Rules.
It's important to note that phase 2 audits will be conducted primary by desk, meaning investigators are not likely to visit a healthcare practitioner's workplace to conduct the audit. There are exceptions, however, such as reports of willful violations, in which case the OCR may send one or more investigators to inspect the covered entity and its workplace.
Phase 2 HIPAA audits will begin with the OCR verifying the contact information of covered entities and their business associates. Whether you are a covered entity or business associate, you can expect to receive an email from the OCR asking you to confirm your contact information. Upon completion of this contact verification, the OCR will send a questionnaire asking about the size, operation and business structure of potential auditees. Covered entities and business associates that fail to respond to the OCR's contact verification request will have this information automatically created from publicly available data, meaning the OCR may still target them for an audit.