QUESTION:       What’s all this I hear about HIPAA Phase 2 audits?

ANSWER:           The HHS Office of Civil Rights (“OCR”) announced this past Monday that it would soon be commencing HIPAA Phase 2 audits of selected HIPAA covered entities and their business associates. In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.  These audits will primarily be desk audits, although some on-site audits will be conducted.

Information about the audits can be found at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/phase2announcement/index.html.

Here are some things you should do right now to get ready in case you are one of the lucky ones who get audited:

1. Make sure your hospital’s spam blocker will not block any e-mails from the following e-mail address: OSOCRAudit@hhs.gov  You will only be notified by e-mail if you are selected to be audited and then you will only have 10 business days to provide the information requested by OCR.  If the e-mail from OCR is blocked, you might get a call saying you failed to respond as required.

2. Make sure all your privacy and security policies and procedures are up to date. They will almost certainly be requested if you are selected.

3. Compile a list of all your business associates and their contact information. This will be requested as well.  Furthermore, you might want to notify your business associates that they may be contacted by OCR to be audited and, if they are, request that they let you know and fully cooperate with the auditors.  And while you’re at it, make sure your business associate agreements are properly executed and up to date.

4. Conduct a mock audit. At the very least, your medical records, I.T., and compliance departments should be involved along with your Privacy Officer, senior management and legal counsel.  While the Phase 2 audit protocols have not been released yet, the Phase 1 protocols are available and can be helpful to prepare.