skip to content
Are You Prepared for Phase 2 of OCR

Are You Prepared for Phase 2 of OCR's HIPAA Audit Program?

Health Care Law Note
(September 22, 2015)

On September 3, 2015, at the 8th Annual HIPAA security conference sponsored jointly by the National Institute for Standards and Technology and the Department of Health and Human Services' Office for Civil Rights (OCR), it was announced that the long-awaited Phase 2 of OCR's random HIPAA compliance audits will begin in 2016.  According to David Holtzman, a former OCR official who currently is Vice President of Compliance Services with CynergisTek, Phase 2 will be "lifting off soon."  Holtzman specified that 1,200 audit survey letters will be issued within 30 to 60 days, and that a representative sample of approximately 300 entities from the group receiving surveys will be selected for audits.  Most of the entities audited are likely to be smaller entities, since OCR's pilot audit program in 2012 found that smaller entities had more numerous and substantial problems complying with HIPAA—particularly with the Security Rule—than did larger entities.

It also was announced at the conference that OCR has entered into a $769,000 contract with FCi Federal to conduct the Phase 2 Audit Program.  The contract extends through December 2016.  The audit protocol for Phase 2 will be based on the 2012 audit protocol but will be updated to include requirements of the HITECH Act Final Rule published in January 2013.  OCR Director Jocelyn Samuels noted that the updated audit protocol will be released as the audits draw closer.  Most of the audits will be desk audits, which will necessitate review of issues that can be documented by covered entities and business associates, such as policies and procedures.  It also was announced that some of the chosen covered entities and business associates will be the subject of onsite audits.

Deven McGraw, who began serving as OCR's Deputy Director of Health Information Privacy on June 29, noted that because OCR will be unable to look at everything in this second phase of HIPAA audits, it will focus on key areas of interest.  These will include how entities are complying with the breach notification rule, as well as how entities are providing patients electronic access to their health information and complying with other individual rights under HIPAA. 

Covered entities and business associates that are selected for an audit will have 10 business days (or two calendar weeks) to respond to an OCR audit request.  To ensure a timely response, organizations should begin preparing now to assure that their documentation is up-to-date and readily available to be uploaded to the audit portal.  The audit requests will specify the content, file names and other documentation requirements, and the auditors may contact the covered entities and business associates for clarifications or additional documentation.  OCR will only consider current documentation that is submitted on time, and failure to respond to a request could lead to a referral to the applicable OCR Regional Office for a compliance review.

Obviously, the number of covered entities and business associates that will be audited in Phase 2 is a very small percentage of the approximately 3 million entities currently subject to HIPAA.  However, there are a number of steps organizations can take now to reduce the risk of enforcement activity in the event they are chosen for this audit and, if they are not, to reduce the likelihood of other HIPAA enforcement activity in the future:

  1. Current Risk Analysis.  Ensure that the organization has completed a thorough security risk analysis and created a risk management plan that identifies deficiencies, ranks them in order of priority, and documents corrective actions as they are taken (and the reasons why other corrective actions have not been taken).  The risk analysis and risk management plan should be periodically reviewed and updated to reflect the organization's ongoing attention to identified and emerging security risk issues.  OCR repeatedly has noted that an entity's failure to have performed a risk analysis, or having an outdated risk analysis, is one of its most frequently observed HIPAA violations.
  2. HIPAA Policies.  Ensure that the organization maintains and is following a comprehensive set of HIPAA policies addressing privacy, security, and breach notification requirements.  These policies should reflect that they have been reviewed since the effective dates of the HIPAA Privacy Rule (2003) and the HIPAA Security Rule (2005); otherwise, it will appear that the policies are simply for show, since substantial changes have been made to HIPAA since 2009 through the HITECH Act and its implementing regulations.  Superseded versions of policies must be maintained for six years.
  3. Know Your Business Associates.  Maintain a list of the organization's current business associates.  OCR will ask covered entities that are surveyed for this list, and these lists will be used to determine which business associates will be audited in Phase 2.
  4. HIPAA Compliance File.  Maintain a HIPAA compliance file that contains evidence of current HIPAA compliance.  This should include current policies, evidence of HIPAA training, risk analysis reports and risk management plans, evidence of monitoring logs of network activity or medical records access, information about potential breaches and their resolution, and the like.  Having such a file on-hand will help those entities that are audited in Phase 2 to provide documentation requested by OCR within the 10-day response period.
  5. Training.  Review and update the organization's workforce training on HIPAA issues, with a focus on safeguarding the security of information.  All members of the workforce should know how to report a security incident or a potential breach of health information, and in light of the recent spate of large-scale hacks, training should include social engineering resistance (how to avoid phishing, baiting, and other online scams).
  6. Review OCR Resources.  Review the Resolution Agreements on OCR's website, and monitor new developments by subscribing to OCR's listserv.  Organizations should understand what types of violations have led to enforcement activity and take steps to avoid those mistakes.  When the updated audit protocol is released, organizations should review and use it to identify potential areas for improvement and update policies and processes accordingly.
  7. Audit Response.  Respond to OCR audits or compliance reviews completely but concisely.  Be certain to address all requested items, but do not send extraneous or unsolicited materials.  Before submitting responses, consult with counsel about what information is and is not relevant.
Associated Industries

Each of our lawyer's e-mail address is provided with his or her biography. If you are not a current client of our firm, you should not e-mail our lawyers with any confidential information or any information about a specific legal matter, given that our firm may presently represent persons or companies who have interests that are adverse to you. If you are not a current client and you e-mail any lawyer in our firm, you do so without any expectation of confidentiality. We will not establish a professional relationship with you via e-mail. Instead, you should contact our firm by telephone so that we can determine whether we are in a position to consult with you about any legal matters before you share any confidential or sensitive information with us.