ARTICLE
24 March 2016

HIPAA Phase 2 Audit Program Has Begun

HK
Holland & Knight

Contributor

Holland & Knight is a global law firm with nearly 2,000 lawyers in offices throughout the world. Our attorneys provide representation in litigation, business, real estate, healthcare and governmental law. Interdisciplinary practice groups and industry-based teams provide clients with access to attorneys throughout the firm, regardless of location.
On March 21, 2016, the Department of Health and Human Services' Office for Civil Rights (OCR) announced that Phase 2 of its audit program has commenced.
United States Privacy

Shannon Hartsfield Salimone is a Partner in Holland & Knight's Tallahassee office

On March 21, 2016, the Department of Health and Human Services' Office for Civil Rights (OCR) announced that Phase 2 of its audit program has commenced. The audits could involve onsite assessments or desk audits, and will be completed by the end of December 2016. Letters have already gone out to some potential audit targets. These letters, which are automated email communications, request confirmation of the entity's identity and contact information. See this sample letter from the Department of Health and Human Services. Any covered entity or business associate is eligible to be audited. If the entity does not respond to the initial information request, it may still be selected for audit.

The question and answer guidance indicates that auditors will not be looking at state-specific privacy and security rules. This is interesting because HIPAA provides that more stringent state laws will preempt HIPAA. In order to comply with HIPAA, covered entities and business associates must comply with state laws that provide more protection for patient information. The guidance also indicates that OCR will not audit entities with an open complaint investigations or compliance reviews.

Covered entities and business associates should take steps to prepare in case they are audited. The pre-audit screening questionnaire (which could get caught in spam filters) will require covered entities to identify their business associates. OCR is encouraging covered entities to get this list ready so they are able to respond to the request. Covered entities and business associates may also benefit from reviewing OCR's old audit protocol to ensure that they have documentation to demonstrate compliance with each of HIPAA's requirements. The old audit protocol was not updated to reflect the HITECH Act Omnibus Rule.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More