The Department of Health and Human Services’ Office for Civil Rights has officially kicked off its much anticipated second phase of audits of covered entities and their business associates. Required under the 2009 HITECH Act, the OCR must perform periodic audits of both covered entities—healthcare providers, health insurance plans, healthcare clearinghouses—and business associates for compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) privacy, security, and breach notification rules. The first phase was conducted as a pilot audit program in 2011 and 2012 on 115 covered entities.

The impetus behind the OCR’s second phase of audits, which formally began on March 21, follows a scathing report issued in September 2015 by the HHS Office of Inspector General, which criticized the OCR for its lack of enforcement concerning compliance with HIPAA’s privacy rule. In that report, the OIG determined that the OCR’s oversight has been primarily reactive.

“It investigates possible non-compliance primarily in response to complaints,” the report stated. “[the] OCR has not fully implemented the required audit program to proactively assess possible non-compliance from covered entities.”

The findings from that report effectively put the OCR’s feet to the fire “to be a bit more rigid during this phase than the last phase,” says James Bowers, former vice president of corporate compliance for Aetna and now senior counsel at law firm Day Pitney.

On its website, the OCR described these audits as “primarily a compliance improvement activity.” It warned, however, that it will not hesitate to initiate a full-blown compliance review if an audit report uncovers a “serious compliance issue,” potentially resulting in significant fines and penalties. “There are certain core requirements of HIPAA that the OCR automatically will consider serious violations if they’re not followed,” says Eric Fader, a member of the life sciences and healthcare practice group at law firm Day Pitney.

One common compliance deficiency found during the pilot audits that often leads to an enforcement action by the OCR is failure to conduct an enterprise-wide risk assessment to ensure patients’ health information is being adequately protected. “A risk assessment would uncover the types of omissions and shortcomings that audits are likely to be looking for,” says Fader.

Many healthcare entities are still learning this lesson the hard way. Just last month, for example, North Memorial Health Care of Minnesota, a non-profit health care system, reached a $1.55 million settlement with the OCR to resolve charges that it violated HIPAA’s privacy and security rules by failing to enter into a business associate agreement with a major contractor and failing to institute an enterprise-wide risk analysis to address the risks and vulnerabilities to its patient information.

“Two major cornerstones of the HIPAA rules were overlooked by this entity,” Jocelyn Samuels, director of the OCR, said in a statement. “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.” Other compliance measures the OCR will be looking for include whether covered entities have in place encryption capabilities; an up-to-date notice of privacy practices; a breach notification and response plan; and proper documentation of these measures.

In case compliance officers in the healthcare industry need one more reason to keep their HIPAA compliance program up-to-date and readily available, keep in mind that you will have only 10 business days to respond to an audit inquiry. “You can’t cobble something together in 10 days that’s going to pass muster if your program is weak or non-existent,” says Dianne Bourque, a member in the health law practice at law firm Mintz Levin.

“Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
Jocelyn Samuels, Director, Office of Civil Rights

Audit preparation

Unlike the pilot audit program, the second audit phase focuses on both covered entities and their third-party affiliates, which generally include any business that provides a service to a covered healthcare entity and that receives protected health information in the course of providing that service. Business associates may include, for example, healthcare billing companies, Medicare payers, hospital management companies, and cloud computing companies that store protected health information.

“The first thing I would recommend to anyone right now is to develop an audit response plan,” says Samuel Cohen, a senior associate in the healthcare practice at Arent Fox.” For example, who is going to be in charge of responding? What frontline employees may need to be involved in getting documentation? You don’t want an OCR notification letter to be the first time you’ve thought about these questions, he says.

During the first round of audits, the OCR will communicate with covered entities and business associates by e-mail to obtain and verify contact information. “There is no mercy from [the] OCR if the e-mail is filtered out into a spam folder,” says Bourque. “You’re on the hook for responding.”

Once the OCR obtains that contact information, covered entities and business associates must then fill out a pre-audit questionnaire designed to gather data about their size, type, and operations. “Covered entities and business associates would be well served to have their audit response team ready and well-organized,” says Reece Hirsch, a partner in the healthcare practice at Morgan Lewis. Develop a process to ensure audit response teams will be able to quickly gather and have easy access to the following pertinent documents:

A list of the business associates, including their contact information and the nature of the services they provide;

A copy of your HIPAA privacy, security, and breach notification policy and procedures;

A copy of the findings from the latest enterprise-wide risk assessment;

Evidence of employee training on HIPAA privacy and security rules; and

A copy of an incident response plan concerning data breaches.

If a healthcare organization or business associate fails to respond to an initial e-mail or fails to provide adequate information during a pre-audit questionnaire, the OCR will then turn to publicly available information to create its audit pool. Failing to respond will not make you immune to a HIPAA compliance audit. The OCR said it will not audit entities, however, with an open complaint or that are currently undergoing an OCR compliance review.


Below is a description from the Office of Civil Right's describing its current audit protocol.
The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits.
The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.
The audit protocol covers privacy rule requirements for:

Notice of privacy practices for personal health information (PHI);

Rights to request privacy protection for PHI;

Access of individuals to PHI;

Administrative requirements, uses, and disclosures of PHI;

Amendment of PHI; and

Accounting of disclosures.
The protocol covers security rule requirements for administrative, physical, and technical safeguards.
The protocol covers requirements for the breach notification rule.
The protocol is available for public review and searchable by keyword(s) in [this] table. 
Please be aware that the protocol has not yet been updated to reflect the Omnibus final rule, but a version reflecting the modifications will be available in the future.
Source: OCR

Audit process

The first round of audits will be desk audits of covered entities followed by a second round of desk audits of business associates. All desk audits in this phase will be completed by the end of December 2016, the OCR said.

The third—and final—round of audits will be onsite, lasting three to five days, and will examine a broader scope of requirements from the HIPAA rules than desk audits. Although the OCR will conduct fewer onsite audits than the pilot phase, covered entities and business associates should be prepared for a site visit, nonetheless. “If the OCR decides to turn the onsite audit into a compliance review, that could be a cause for concern,” says Leeann Habte, senior counsel in the healthcare practice at law firm Foley & Lardner.

“It’s always a good idea to spot check,” says Bourque. Not all HIPAA-covered entities and business associates may have the staff or time to conduct a mock audit, she adds, but you can still compare your current practices to the audit protocols published on the OCR’s website by asking some key questions:

When was our last risk assessment? Are we due for another one?

Do we have easy access to our business associate agreements?

When was the last time we conducted employee training on HIPAA privacy, security, and breach notification rules?

Did everybody complete training? Do we have documentation to show that?

Where do we keep our incident log?

Following the audit—whether it’s a desk or onsite audit—the OCR will produce a draft report, at which time the audited entity will have 10 days to review and respond with written comments. The final report will be completed by the OCR within 30 days and delivered to the audited entity.

With both desk audits and on-site audits, the OCR will not post a list of audited entities or the findings of an individual audit. Such information, however, may be subject to release under the Freedom of Information Act. “There is some danger of a sub-standard audit report getting into the hands of plaintiffs’ counsel, thereby exposing organizations to private actions, as well as state attorney general actions,” says Bowers.

Even if you are not selected for an audit, taking proactive measures to develop or reinforce your HIPAA privacy, security, and data breach response compliance program will help reduce the risk of an OCR enforcement action in the future.