As a foundation for moving forward with Phase II of its Audit Program of Covered Entities (CEs) and their Business Associates (BAs), HHS’s Office for Civil Rights (OCR) has quietly released its beefed-up Audit Protocol (Protocol). Significantly, this revised, more robust, Protocol more closely ties the audit “checklist” to the respective provisions of the implementing regulations under HIPAA and the HITECH Act.
As a first step in the Phase II audit process, however, OCR is actively sending Audit Pre-Screening Questionnaires, along with address and other contact verification requests, to approximately 1200 CEs in an effort to identify both CEs and their BAs for possible audits. OCR developed a template for CEs to list BAs and intends to use data from those surveys, along with its initial round of Phase II desk audits of CEs, to formulate its initial list of BA targets. The agency will be emailing surveys, contact verifications, and other communications regarding the Audit Program. The agency also released a Sample Audit Letter to give regulated entities an idea of what to expect. CEs and BAs should be actively monitoring their company and employee spam filters to ensure that they don’t “miss” correspondence from OCR.
OCR contemplates that Phase II will include 200 desk audits and between 10-25 “full scale” onsite audits. Both the desk and onsite audits are expected to include BAs. OCR will not, however, audit CEs or BAs with an open complaint investigation or those currently undergoing compliance reviews. We assume that BAs frequently identified by various CEs may be more likely subjects of audits. The agency will require auditees to submit responsive documents through OCR’s Audit Portal within ten days of receipt of the request. OCR did not allow for additional response time in Phase I and has not, to date, indicated a willingness to do so for this current round.
As a general matter, OCR intends to use the audit program:
to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations. The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable [the agency] to get out in front of problems before they result in breaches. OCR will broadly identify best practices gleaned through the audit process and will provide guidance targeted to identified compliance challenges.
Audit Phase 2, Program Objective, available at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html#when.
Although the desk audits will be more limited in scope than the onsite audits, the updated Protocol applies to both. The revised Protocol appears broader, both in terms of scope and subject matter and, according to OCR, was updated to reflect changes made by the HITECH Act’s implementing regulations in the HIPAA Privacy, Security, and Breach Notification Rules. The Protocol now includes approximately 180 areas of potential focus, including 89 areas under the Privacy Rule, 72 under the Security Rule, and 19 under the Breach Notification Rule. (The Phase I Protocol contained approximately 165 areas of scrutiny.) The Phase II Protocol also more closely links the requirements to their respective provisions of the implementing regulations under HIPAA and the HITECH Act. Specifically, the Protocol addresses each standard and implementation specification along with a parallel audit inquiry designed to test compliance.
Although it is unclear whether OCR will consider revising this Protocol, it is expressly accepting “feedback” from regulated industry. You can email them at: OSOCRAudit@hhs.gov. We view it as unlikely, however, that OCR would make fundamental changes to the Protocol at this point.
It now is prime time for regulated industry to review the revised Protocol, OCR’s recently issued Frequently Asked Questions, and all internal policies and procedures regarding the handling of Protected Health Information. Companies should evaluate compliance efforts across the board, in a step-by-step, rule-by-rule fashion, utilizing each of the identified regulatory requirements as a guidepost. OCR is likely to take the same systematic approach in its audits. Now is the time to ensure that all necessary policies and procedures are in place, current, and aligned with existing business activities.
Although the HITECH Act requires that OCR use Audits as an enforcement mechanism, the agency has made clear that they are not intended to be punitive. Rather, OCR intends to review policies, risk analyses, timeliness of notifications, notices of privacy practices, and other information to ensure compliance with the Privacy, Security, and Breach Notification Rules, working to ensure a transparent process with shared findings and useful recommendations for enhanced compliance.