The U.S. Department of Health and Human Services has officially launched its long-awaited Phase 2 HIPAA audit program, the head of HHS’ Office for Civil Rights said at a March 21 conference.
The process has begun with the emailing of address verification letters to a pool of potential auditees, said OCR Director Jocelyn Samuels. OCR expects to have all of these sent out within a week, she said. “Ignoring the letters won’t keep you from being selected,” she noted; if necessary, OCR will simply use the best contact information it has available.
Covered entities will have only 14 days to respond to these emails. OCR is warning covered entities to check their spam filters.
These verification letters will be followed by questionnaires, and once OCR gets those back the agency will select a sampling of covered entities and business associates from this pool to actually be audited, Samuels continued. OCR will perform more than 200 onsite and desk audits, with all of the desk audits to be completed by year’s end.
Entities selected for desk audits will upload the requested documentation, such as policies and procedures, directly to an OCR Web portal, Samuels said. OCR might follow some desk audits with onsite audits if it finds problems.
As OCR has indicated previously, the desk audits will focus on selected provisions of HIPAA’s privacy, security and breach notification rules. The audits are not intended to be punitive, but rather to get out in front of problems and direct future guidance, Samuels said. OCR hopes to get a sense of whether there still are “systemic structural issues.”
Once the audits are completed, OCR will share the results with the audited entities, and also use them to establish a permanent audit program, Samuels noted.
OCR officials sought to allay concerns that audited entities will have no opportunity to clarify their submittals. When it really isn’t clear how a document request applies to a given covered entity, “there is going to have to be some give and take in that regard,” said Deven McGraw, OCR deputy director for health information privacy. However, “this is not a negotiation as to what you’re supposed to send.” Details on the audits are available on OCR’s website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.