The long-anticipated Phase 2 of the HIPAA audit program of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is coming soon. Phase 1, which took place over 2011 and 2012, found that many covered entities were noncompliant with HIPAA requirements. HHS announced last spring that about 1,200 screening surveys would be sent to covered entities to identify which entities will be audited during Phase 2. The OCR is currently sending out preliminary communications via email and postal mail to verify entities’ contact information prior to sending the surveys.
The OCR plans to conduct desk audits of about 350 covered entities before progressing to onsite audits. The covered entities selected will include providers, health plans and health care clearinghouses (as defined by HHS), as well as business associates. Audits will focus on Security Standards compliance, Privacy Standards compliance and Breach Notification Standards compliance, and covered entities and business associates will likely have a short window in which to provide a complete response.
Covered entities can prepare for a potential HIPAA audit by ensuring that compliance materials are up-to-date, policies and procedures are being followed properly, and business associate agreements accurately reflect both parties’ HIPAA obligations. Covered entities should also be compliant with the 2013 HIPAA final rule, which was released after Phase 1 of the audit program was completed.