Get ready for a second round of OCR audits.
Now that the Phase 1 audits have finished, the HHS Office for Civil Rights is poised and ready to begin the second round of HIPAA audits. Are you prepared for OCR to knock on your door?
Phase 1 pilot audits that OCR conducted in 2011 and 2012 focused on covered entities (CEs) only. But the Phase 2 audits will involve both CEs and business associates (BAs), according to McDermott Will & Emery attorneys in an article published in The National Law Review.
“Unlike the Phase 1 audits, OCR will conduct the Phase 2 audits as desk reviews with an updated audit protocol and not on-site at the audited organization,” MWE noted. And OCR will post the Phase 2 audit protocol on its website so you can use it for your internal compliance assessment.
OCR itself will conduct the Phase 2 audits and will focus on more high-risk areas, explained attorneys Adam Greene and Rebecca Williams in a recent advisory from the law firm Davis Wright Tremaine. OCR may also potentially integrate the audits into its formal enforcement program.
This means that if “an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties,” MWE warned.
Pay Close Attention To These Areas
And in the Phase 2 audits, OCR will target HIPAA standards with the highest numbers of noncompliance in the Phase 1 audits (see below for more details). According to MWE, these standards are: