The Office of Civil Rights (OCR) of the Department of Health and Human Services has begun Phase 2 of its audit program under the Health Insurance Portability and Accountability Act (HIPAA). In this phase, OCR will:

·       Collect contact information from covered entities and their business associates;

·       Audit selected covered entities and, later, business associates for certain documents to assess compliance;

·       Conduct on-site audits of certain entities.

The audits are expected to target specific areas of compliance under the privacy, security, and breach notification rules.

Initial Requests Health plan sponsors and administrators, health care providers, and business associates of all types will soon receive (and some may have already received) emails from the OCR asking for contact information. The information collected will help OCR build its pool of candidates for audit. OCR has warned that certain systems may filter its email as spam and that it expects entities to check spam and junk folders for the solicitation.

OCR intends to use publicly available sources to identify potential audit targets, so a failure to respond to the OCR solicitation will not necessarily exempt an organization from the audit process. Guidance does not state whether OCR is more likely to audit an entity that does not respond or self-identify than one that does. However, an organization can exercise more control over the process (in particular, the ability to designate who within the organization is to be contacted by OCR in the future) if it responds to the initial solicitation.

It appears as if the solicitations will come in two stages: first a request for basic contact information about the organization, followed by a pre-audit questionnaire that asks for certain information, including contact information for relevant business associates.

Getting Ready To prepare for OCR’s initial requests, covered entities and business associates should:

  • Be on the lookout for an e-mail solicitation from OCR, taking into account the possibility that the initial OCR email has been blocked when you review your spam and junk folders. You may ask an appropriate member of your IT unit to make technical adjustments to recognize emails from OCR to prevent them from being filtered. The only email address identified in relevant OCR guidance is, although it is not completely clear that emails will come from that address.
  • When you receive a solicitation, make sure that any link or attachment is legitimate. It is possible that hackers will see this as an opportunity to infiltrate your computer systems by imitating the OCR solicitation.
  • Check with others in your organization who might also have received the OCR solicitation and appropriately centralize the response, so the right person will be contacted in the future.
  • Be prepared to respond to the request within 14 days. Because, in the second stage of this process, the pre-audit questionnaire will ask for the names of—and contact information for—all relevant business associates, you might consider preparing a list with that information in advance.

Audit Selection OCR intends to choose subjects for audit from a wide range of entities, taking into account their type, size, location, nature as a public or private entity, and relationship to other healthcare organizations and individuals. Entities currently under a HIPAA investigation or compliance review will not be audited.

Audits Audits are expected to occur in three stages: desk audits of covered entities; desk audits of business associates; and on-site audits. OCR has announced that it plans to complete the desk audits by the end of 2016. The desk audits likely will focus on documents demonstrating compliance with particular requirements in HIPAA’s privacy, security, and breach notification rules. On-site audits will review a broader scope of requirements. Although the on-site audits are not necessarily linked to the desk audits, some entities selected for a desk audit also may be selected for an on-site audit.

OCR will notify covered entities that they have been selected for a desk audit. That notice will explain the process and OCR’s expectations in more detail. The notice will ask the covered entity to submit documents in digital form through a secure portal within 10 business days of the date on the request. After reviewing the documentation, auditors will share a draft of their findings with the covered entity. A covered entity will have 10 business days to submit written responses to the draft report. The final audit report will include those written responses.

While the desk audits of covered entities are in process, OCR will start to notify business associates that they have been selected for a desk audit. Those audits will follow the same basic process that applies to covered entities.

Covered entities and business associates that are subject to an on-site audit also will be notified. More information about the on-site audit will be provided during an entrance conference. The audit itself will last three to five days. The audited entity will have 10 business days to review a draft of the audit’s findings and submit written responses.

OCR has stated that audits will primarily focus on compliance improvement. The program is intended to help OCR, covered entities, and business associates identify areas of vulnerability and find ways to better protect information. But if an audit report indicates a serious compliance issue, OCR may undertake enforcement action.

Getting Ready Covered entities and business associates will not know if they will be selected for an audit, but they should take certain measures in the event they are audited:

  • Be prepared to cooperate with auditors and provide timely information. Because OCR is expected to ask for documents that are in effect on the date of the request, covered entities and business associates should review the state of their compliance, particularly as it is reflected in documentation, in advance of any audit selection notice.
  • If audited, be prepared to review the draft findings of the auditors and submit timely written responses.
  • Address issues identified in the final audit report and document those actions, so your efforts to comply with HIPAA can be clearly presented to OCR or others in the event of any future audit, compliance review, or investigation.

It is worth keeping in mind that, although compliance with HIPAA’s privacy and security requirements is an important goal, it is ultimately a means toward making sure that sensitive information is appropriately protected. Members of our HIPAA Compliance Team and our Employee Benefits and Executive Compensation and Privacy and Data Security Groups are prepared to help you address these concerns proactively and, if necessary, when incidents occur.

Ballard Spahr’s HIPAA Compliance Team, comprised of attorneys from various disciplines, advises health care providers, health plans, and their business associates on the privacy and security requirements under HIPAA. Our attorneys provide guidance on security rule practices and policies; prepare HIPAA policies, forms, vendor agreements, and other compliance documentation; prepare training tools and conduct HIPAA compliance training; and advise clients about OCR audit requirements.

If you have questions about the HIPAA audit program or HIPAA compliance, please reach out to the authors of this alert or any of the members of the HIPAA Compliance Team listed below:

JOHN DEVINE 215.864.8322 |

KURT R. ANDERSON 215.864.8432 |

ROBERT S. KAPLAN 215.864.8417 |

SANDRA MAKI HASHIMA 215.864.8873 |

CHRISTOPHER W. WELSCH 215.864.8222 |

SHARON M. MARSHALL 215.864.8506 |