The HHS Office for Civil Rights has begun the 2016 Phase 2 HIPAA Audit Program, which will focus on the policies and procedures covered entities and their business associates have in place to maintain compliance with privacy, security and breach notification rules.
Here are seven things to know about the Phase 2 program.
1. The audits will generally be desk audits, but some onsite audits may occur.
2. The OCR is sending emails to covered entities and their business associates requesting address verification and contact information, as well as sending a pre-audit questionnaire. If the OCR does not receive a response, the government entity will use publicly available information to create its audit subject pool. Entities that do not respond could be subject to an audit.
3. The OCR's emails may be incorrectly labeled as spam. The OCR expects covered entities and their business associates to check their junk folders for these emails. Click here to view a sample email.
http://www.hhs.gov/sites/default/files/ocr-address-verification-email.pdf
4. The OCR is selecting entities for audit across a wide range of healthcare providers, health plans, clearinghouses and business associates. The OCR will not audit any organizations currently undergoing a compliance review.
5. Covered entities and business associates selected for an audit will be informed via email about their desk or onsite audit. Organizations being audited will have 10 business days to submit requested information via the OCR's secure portal.
6. Onsite audits will take three to five days, depending on the size of the organization.
7. After an audit, the OCR will use the information gathered to determine what types of improvements or corrective actions need to be taken at an organization. If an audit uncovers a serious issue, the organization in question could be subject to a compliance review.