The Office for Civil Rights Announces Phase 2 HIPAA Audits - Protiviti Flash Report
PROTIVITI FLASH REPORT
The Office for Civil Rights Announces Phase 2 HIPAA Audits
May 15, 2014
On March 31, 2014, the Office for Civil Rights (OCR) finally provided insight into its plans for the
upcoming Phase 2 HIPAA Privacy, Security, and Breach Notification audits.
How will Phase 2 be different?
The new program bears little
resemblance to the earlier audits, thus all Covered Entities (CEs) and Business Associates (BAs) should
be taking action. The OCR announced it will conduct the audits itself, rely solely on the offsite review of
evidence rather than onsite inspections, shift the focus to target high-risk areas instead of covering all
HIPAA requirements, and audit significantly more organizations than in the previous phase.
The OCR plans to randomly audit 350 CEs (232 providers, 109 health plans and 9 clearinghouses), from
October 2014 through June 2015. Starting in 2015, 50 BAs will be randomly audited as well, which
include 35 “IT related” BAs (e.g., cloud/data hosting, etc.) and 15 “non-IT related” BAs (e.g., TPAs, claims
processing, etc.). In order to select the 350 CEs, the OCR will contact a larger group of 550-800 CEs
during the summer of 2014 and require those CEs to complete an online “pre-audit survey” to provide
information regarding their size, location, services and contacts. These CEs also will be required to
provide contact information for each of their BAs. The CE audit participants will be selected from that
larger group while the BA audit participants will be selected from the group identified by those CEs.
These audits will have a much narrower focus. For the 350 CEs, 100 CEs will be audited on the Privacy
Rule, “[patient] notice and access”; another 100 distinct CEs on the Breach Notification Rule, “content and
timeliness of notifications”; and yet another 150 distinct CEs on the Security Rule, “risk analysis and risk
management.” The 50 BA audits will focus on “risk analysis and risk management” as well as “breach
reporting to CE” practices. The OCR will then conduct more audits later in 2015 (projected), which more
than likely will focus on topics such as ePHI transmission security, device/media controls, privacy
safeguards and training efforts. Furthermore, during 2016, the OCR will conduct additional audits
focusing on higher risk security topics such as encryption and decryption, facility physical access controls,
and other areas of high risk identified by the audit process, breach reports and complaints.
• Notification: The OCR will begin sending notification and data request letters beginning this fall.
• Data request: After receiving their notification letters, CEs and BAs will have two weeks to
respond to initial data requests. The OCR will not consider data sent after that period, thus CEs
and BAs will need to ensure their documentation and evidence is in order and readily available.
As presented by the OCR during “OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2,” at the
2014 Compliance Institute hosted by the Health Care Compliance Association.
Protiviti | 2
• “Desk audits”: The OCR staff will conduct audits remotely through “Desk Audits,” as opposed to
earlier audits in which contractors were physically onsite. The auditors will use an updated audit
protocol that will reflect Omnibus changes and will include more specific test procedures.
Updated audit protocols are anticipated to be made available on the OCR’s website but a
corresponding date has not yet been finalized. Audit participants will not have the opportunity to
provide clarification (either verbally or in writing) or provide any supplemental information after
their initial response. CEs and BAs will need to ensure their initial response is comprehensive but
also easily understandable.
• Report: Prior to the finalization of the audit findings, the OCR will present the organization with a
draft version of the report to allow management review prior to publishing the final report.
However, while the OCR may take feedback into consideration, this is not to be interpreted as a
secondary data request, nor an opportunity for the audit participant to provide supplemental
What should you do?
Prepare for compliance instead of responding to audits
It is important that your organization does not adopt a mindset of trying to prepare solely for passing an
audit. You should continue with your journey of enhancing compliance practices and continually
improving organizational awareness. Your organization should focus on protecting the privacy and
security of patient information and reducing the probability of a breach. Passing an audit should be the
byproduct of an effective compliance culture, rather than your target or goal. While OCR audits can be
painful and time-consuming, they pale in comparison to what your organization may endure in the event
of a breach. At a minimum, your organization should be undertaking the following initiatives, which are all
required by HIPAA and should not be considered optional:
• Ensure that security, privacy, and breach policies and procedures are documented and regularly
• Maintain a repository containing all BAs affiliated with your organization. Also, ensure that the
business associate agreements (BAAs) have been updated to reflect Omnibus changes. BAAs
should be stored and organized in a manner that you can appropriately manage, review and
maintain, and facilitate your ability to provide an inventory of the organizations you consider BAs
when the OCR requests them.
• Perform an evaluation of your organization’s compliance program including the Privacy, Security,
and Breach Notification requirements. Review for appropriate policies and procedures, assess
the sufficiency of your practices, evaluate the detail of your supporting documentation, and
perform corroboration activities where necessary. Ensure the evaluation assesses your
compliance with all applicable HIPAA regulatory requirements, identifies areas that may be
lacking and develops remediating action plans.
• Ensure that a security risk analysis is regularly performed by your organization and that it adheres
to the requirements set forth in the HIPAA Security Rule (refer to the OCR’s “Guidance on Risk
Analysis Requirements under the HIPAA Security Rule”). While the Department of Health and
Human Services (HHS), which oversees the OCR, has released a security risk assessment tool,
be very cautious in your use of this tool. HHS and OCR have stated that the tool will not
guarantee compliance and that it is to be used primarily by small provider practices.
As the healthcare industry continues to experience increased scrutiny and the volume of breaches
expands on a seemingly daily basis, your HIPAA compliance practices become increasingly important as
well. Make sure your organization is implementing the proper practices to create a culture of compliance
and is taking the necessary steps to protect the PHI in your environment appropriately.
This flash report is based on information available from the OCR as of May 2014, as well as our
subjective interpretation of various aspects of that information, and the details outlined herein are subject
to change at the discretion of the OCR.