Dive Brief:
- HHS' Office for Civil Rights (OCR) has rolled out phase 2 of its HIPAA audit program to assess compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The audits will be mostly desk audits, but will include some on-site audits.
- The audit process begins with verification of covered entities' addresses and contact numbers via email. This will be followed by a pre-audit questionnaire to gather information about the size, type, and operations of potential auditees.
- If an email request goes unanswered, OCR will use public information about the entity to create its audit subject pool. The agency will post updated audit pools on its website closer to conducting the 2016 audits.
Dive Insight:
According to the HHS, the audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations for their own self-audits as part of their HIPAA compliance activities.
In addition, the agency said the audits "will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits...We will evaluate the results and procedures used in our phase 2 audits to develop our permanent audit program."
An HHS OIG report last year found OCR lacked complete documentation of corrective measures in 26% of closed privacy cases. Furthermore, close to half of these cases were determined by OCR to be noncompliant with at least one privacy standard.