Yesterday we learned that the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) will be conducting a round of audits for covered entities and their business associates. Today we’ll see how they will be conducting their audits.
The OCR plans to conduct desk and on-site audits for both covered entities and their business associates. The first set of audits will be desk audits of covered entities followed by a second round of desk audits of business associates.
These second-round audits will examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules and auditees will be notified of the subject(s) of their audit in a document request letter. All desk audits in this phase will be completed by the end of December 2016.
The third set of audits will be on-site and will examine a broader scope of requirements from the HIPAA rules than desk audits. Some desk auditees may be subject to a subsequent on-site audit.
Entities selected for an audit will be sent an e-mail notification of their selection and will be asked to provide documents and other data in response to a document request letter. Audited entities will submit documents online via a new secure audit portal on OCR’s website.
There will be fewer in-person visits during the Phase 2 audits than in Phase 1, but auditees should still be prepared for a site visit. Auditors will review documentation and then develop and share draft findings with the entity. Auditees will have the opportunity to respond to these draft findings; their written responses will be included in the final audit report.
Get prepared now
If you sponsor a self-insured health plan or otherwise have access to personal health information (PHI), it’s a good idea to review your HIPAA practices now—before you find yourself on OCR’s radar.