Back in March, we reported that OCR had announced its Phase 2 Audit Program. When we last heard from OCR about Phase 2 HIPAA Audits, we saw that emails were being sent to Covered Entities and Business Associates. The purpose of the emails was to verify and expand the OCR HIPAA audit pool. We wrote about that here. OCR has now moved on to the next step – the audits have actually started. What does this mean?
If you are selected for an audit (unlucky you), you will get an email that looks like this (PDF). The letter explains that
Audits present an opportunity for OCR to examine mechanisms for compliance; identify promising practices for protecting the privacy and security of health information; discover risks and vulnerabilities that may not have come to light through complaint investigations and compliance reviews; and better target the technical assistance it provides to covered entities and business associates.
What it does not say is that audits also provide a mechanism to determine if an entity is HIPAA compliant and to take appropriate actions, as necessary.
The letter further goes on to say that the selected entity has 10 business days to upload documentation to a portal. It states:
If you do not respond to the document request, we will use the information that is otherwise available about your organization to move forward with our audit program; failure to respond will not shield your organization from becoming the subject of a compliance review.
Clearly if you get one of these letters, it is in your best interest to respond. So what do you have to do?
If you click on the Document Request Access Link contained in the letter, you will eventually come to a webpage that looks like this:
From there you will have to upload the requested documents. The requested documents can be related to both the HIPAA Privacy and the HIPAA Security rule. It appears that these audits are not comprehensive – OCR is just looking for a sampling of your HIPAA compliance program. Of course, you could not know in advance what samples OCR could possibly request.
The best strategy? Make sure your HIPAA compliance program is in the best shape it can be. If you get an OCR letter, you will have 10 days to “tidy up” the requested documentation before sending it in. Start working on the request right away. 10 days will go by before you know it. You should review the documentation request with others to make sure you are submitting what is asked for and that your response is accurate and comprehensive. Once you have submitted the documentation, OCR will analyze and review it and eventually reply back with a response.