On March 22, 2016, the Department of Health and Human Services's (HHS) Office for Civil Rights (OCR) announced that its next phase of audits is currently underway. The 2016 "Phase 2" HIPAA Audit Program is directed at covered entities (CEs) (which include group health plans) and their business associates (BAs) to assess compliance with the privacy, security, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (see HIPAA Privacy, Security, and Breach Notification Toolkit). The program will review the policies and procedures adopted and employed to meet HIPAA's requirements.

As background, the Health Information Technology for Economic and Clinical Health Act (HITECH) Act required HHS to perform periodic audits of CEs and BAs to assess HIPAA compliance. The new Phase 2 program comes after Phase 1, completed in 2011 and 2012, which assessed the controls and processes implemented by 115 CEs to comply with HIPAA (see Legal Update, HHS Launches Audit Program to Assess HIPAA Compliance). According to HHS, the audit process will help:

For analysis of the HIPAA privacy, security, and breach notification rules, see:

According to HHS, every CE and BA is eligible for an audit, including:

Health providers and health care clearinghouses are also potential targets of the audits.

However, OCR will not audit entities that either:

Last year, OCR attempted to confirm that its contact information for potential audit targets was correct (the announcement includes a sample of this OCR form letter). In a pre-screening questionnaire, OCR requested, among other information, that CEs identify their BAs. If an entity did not respond, OCR used publicly available information about the entity to create its pool of audit targets. Entities that did not respond to the questionnaire may still be selected for audit.

OCR intends to audit a wide range of entities. Sampling criteria for selecting audit targets will include:

OCR has indicated that it will conduct a random sample of entities from its audit pool.

Entities will be notified of their selection as audit targets over the coming months. According to HHS, the audit process will involve:

Entities selected for an audit will be:

Audit targets must provide information requested in the letter within 10 business days of the date of the information request. Documents must be:

After the audit, OCR auditors will:

By way of scope, the OCR auditors will examine only the requirements under federal HIPAA, and not state-specific privacy and security rules.

We covered this development to emphasize that, in addition to HHS's aggressive enforcement efforts on the investigations front (for recent examples, see Legal Update, HHS Nets Over $5 Million in HIPAA Settlements Involving Stolen Laptops and Practice Note, HIPAA Enforcement: Penalties and Investigations: Examples of Resolution Agreements), the government will also be conducting these Phase 2 audits. Though OCR characterizes its audits as a "compliance improvement activity," the announcement includes the following warning: "Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate."

OCR also acknowledges in the announcement that its emails to audit targets may have been classified as spam by an entity's spam filters and virus protection programs – meaning that audit targets may have no idea that the correspondence (which includes a time-sensitive information request) even exists. The government expects CEs and BAs to check their junk or spam email folders for emails from OCR (specifically, from [email protected]).