After several months of delay, the Health and Human Services Office for Civil Rights (“OCR”) has selected a vendor to begin Phase II of OCR’s random HIPAA audits mandated by the HITECH Act.  The program’s first phase included over 100 pilot audits, and phase II was to have begun in late 2014. While the first round of audits included only covered entities, OCR will include business associates in the next round.  The audits will assess compliance with the HIPAA privacy, security and breach notification rules.

One of OCR’s primary findings in the pilot audits was that many organizations had either not conducted an adequate security risk analysis or have not kept their risk analysis updated.
As a result, many of the audits, particularly the ones that are not conducted on-site (“desk audits”), will focus on  organizations’ procedures for risk management and breach reporting.  On-site audit will likely have an additional focus on some of the technical aspects of HIPAA compliance, including data encryption and administrative and physical safeguards.  Both types of audits are also likely to examine organizations’ training policies.

In short, OCR will want to know whether an organization has a security and compliance program in place, how well it is implemented and by whom, and how the program is documented, communicated and enforced.

OCR has not yet stated when the phase II audits will begin, nor has it published the updated audit protocol the OCR auditors will use.  However, covered entities and business associates should already be proactively monitoring their HIPAA compliance, which should help them be prepared if they are selected for audit.  While most covered entities are aware of their HIPAA compliance obligations, organizations that are acting as business associates may not have focused on the issue.

The most important initial step an organization can take with respect to HIPAA compliance is to conduct a risk analysis (and document that it has done so).  The HIPAA Security Rule requires that covered entities and business associates “implement policies and procedures to prevent, detect, contain, and correct security violations.”  Organizations need to be able to identify the protected health information within the organization (including PHI that you created, received, maintained or transmitted), identify the sources of PHI that the organization receives, and identify the threats (whether human or natural) to security. (The current OCR audit protocol can be found here, and while it has not been updated to reflect the latest HIPAA regulations, it is a good starting point for organizations to begin the risk assessment process).

TAKEAWAY:  Jocelyn Samuels, the director of OCR, has noted that “audits are a critical compliance tool for us because they enable us to get out in front of potential industry problems before they result in a breach.”  Covered entities and business associates need to get out in front of the OCR’s audit process by stepping up their compliance efforts.  Risk analysis is the first step, and it is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of PHI.