Phase two HIPAA audits have begun

Phase Two of the Office of Civil Right's (OCR) HIPAA audit program, which started about four months ago, is in full swing with some covered entities having received notification letters this past Monday. 167 organizations now know they will be participating in the desk audit portion of the audit program. The desk audits will examine the selected entities' compliance with HIPAA Privacy, Security, and Breach Notification Rules.

What is a desk audit?

Desk audits are one of the ways the OCR can assess HIPAA compliance and see if there are any risks or vulnerabilities to compliance programs and processes that may be in place. It's during desk audits that an organizations documents are reviewed for compliance with the following requirements of the HIPAA Rules:

• • Privacy Rule
    • Notice of Privacy Practices & Content Requirements
    • Provision of Notice - Electronic Notice
    • Right to Access
  • Breach Notification Rule
    
    • Timeliness of Notification
    • Content of Notification
  • Security Rule
    
    • Security Management Process - Risk Analysis
    • Security Management Process - Risk Management

The OCR selected these requirements after their pilot audits and history of enforcement showed they were frequent areas of noncompliance.

What's next for HIPAA audits?

After the desk audits are completed, some covered entities will be subject to an onsite audit. Onsite audits can take 3-5 days and are more comprehensive than desk audits, covering a wider range of requirements. After audits are completed, OCR will review and analyze information collected and provide audit reports. The audit reports won't clearly identify the audited covered entities, but records can be requested under the Freedom of Information Act. If audit reports reveal any serious compliance issues, then OCR can investigate further via a compliance review.

For more information, visit the OCR HIPAA audit website.