Unlike the pilot audits conducted in 2011 and 2012 (Phase 1 Audits), which focused on covered entities, OCR is conducting Phase 2 Audits of both covered entities and business associates. The Phase 2 Audit program will focus on areas of greater risk to the security of protected health information (PHI) and on pervasive non-compliance based on OCR’s Phase I Audit findings and observations, rather than a comprehensive review of all of the HIPAA Standards. OCR also intends for the Phase 2 Audits to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities. OCR has stated that it will use the Phase 2 Audit findings to identify technical assistance that it should develop for covered entities and business associates. In circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties.
The following sections describe the Phase 2 Audit program and identify steps that covered entities and business associates should take to prepare for Phase 2 Audits.
Selection of Phase 2 Audit Recipients
Based on prior statements from OCR about the Phase 2 Audits, the surveys recently issued to covered entities indicate that OCR has randomly selected a pool of 550 to 800 covered entities through the National Provider Identifier database and other external sources. The survey requests organization and contact information.
OCR has said that based on the survey responses, it will select approximately 350 covered entities, including 232 health care providers, 109 health plans and 9 health care clearinghouses, for Phase 2 Audits. OCR will then notify and send data requests to the 350 selected covered entities. The data requests will ask the covered entities to identify and provide contact information for their business associates. OCR will select the business associates that will participate in the Phase 2 Audits from this pool. OCR had previously indicated that compliance audits of business associates would begin in 2015 and continue into 2016, but this timeframe will likely be pushed back based on the delay in the Phase II Audits of covered entities.
OCR will audit approximately 150 of the 350 selected covered entities and 50 of the selected business associates for compliance with the Security Standards, 100 covered entities for compliance with the Privacy Standards, and 100 covered entities for compliance with the Breach Notification Standards.
Covered entities and business associates will have two weeks to respond to OCR’s audit request. The data requests will specify content and file organization, file names and any other document submission requirements. OCR will only consider current documentation that is submitted on time. OCR has indicated that auditors will not have an opportunity to contact the entity for clarifications or to request additional information, so it is critical that the documents accurately reflect the program. Failure to respond to a request could lead to a referral to the applicable OCR Regional Office for a compliance review. The Phase 2 Audits are expected to take place over three years.
OCR previously stated that the Phase 2 HIPAA Audits would be conducted as “desk audits” rather than onsite visits. In more recent statements, however, OCR has indicated that while most Phase 2 Audits will be desk audits, OCR will also conduct some onsite, comprehensive audits. OCR has said that it will make the Phase 2 Audit protocol available on its website so that organizations may use it for internal compliance assessments.
The Phase 2 Audits will target HIPAA Standards that were frequent sources of non-compliance in the Phase 1 Audits, including risk analysis and risk management, content and timeliness of breach notifications, notice of privacy practices, individual access, the Privacy Standards’ reasonable safeguards requirement, workforce member training, device and media controls, and transmission security. OCR projects that later Phase 2 Audits will focus on the Security Standards’ encryption and decryption requirements, facility access control, breach reports and complaints, and other areas identified by earlier Phase 2 Audits. Phase 2 Audits of business associates will focus on risk analysis, risk management and breach reporting to covered entities.
OCR will present the organization with a draft audit report to allow management to comment before the report is finalized. OCR will then take into account management’s response and issue a final report.
What Should You Do to Prepare for the Phase 2 Audits?
Covered entities and business associates should take the following steps to ensure that they are prepared for a potential Phase 2 Audit:
- Confirm that the organization has recently completed a comprehensive assessment of potential security risks and vulnerabilities to the organization (Risk Assessment)
- Confirm that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to completion
- Ensure that the organization has a complete inventory of business associates and their contact information for purposes of the Phase 2 Audit data requests
- If the organization has not implemented any of the Security Standards’ addressable implementation standards for any of its information systems, confirm that the organization has documented (1) why any such addressable implementation standard was not reasonable and appropriate, and (2) all alternative security measures that were implemented
- Ensure that the organization has implemented a breach notification policy that accurately reflects the content and deadline requirements for breach notification under the Breach Notification Standards
- For health care provider and health plan covered entities, ensure that the organization has a compliant Notice of Privacy Practices and not only a website privacy notice
- Ensure that the organization has reasonable and appropriate safeguards in place for PHI that exists in any form, including paper and verbal PHI
- Confirm that workforce members have received training on the HIPAA Standards that are necessary or appropriate for workforce members to perform their job duties
- Confirm that the organization maintains an inventory of information system assets, including mobile devices (even in a bring-your-own-device environment)
- Confirm that all systems and software that transmit electronic PHI employ encryption technology, or that the organization has a documented risk analysis supporting the decision not to employ encryption
- Confirm that the organization has adopted a facility security plan for each physical location that stores or otherwise has access to PHI, in addition to a security policy that requires a physical security plan
- Review the organization’s HIPAA security policies to identify any actions that have not been completed as required (physical security plan, disaster recovery plan, emergency access procedures, etc.)
The McDermott Difference
McDermott assists clients in responding to OCR investigations, enforcement actions and document requests, including pre-audit screening surveys.
McDermott also licenses template HIPAA privacy, security and security breach notification compliance materials for covered entities and business associates. The materials include template policies and procedures, business associate agreements, patient forms, and a security risk self-assessment tool to enable a covered entity or business associate to implement the privacy, security and breach notification standards in a fraction of the time otherwise required for a successful implementation. McDermott assists clients in tailoring the materials to their respective businesses.
For more information, please contact your regular McDermott lawyer or one of the authors.