Question: With all the recent news on increased HIPAA enforcement, should we be worried about a federal audit of our privacy controls? Codify Subscriber Answer: Though the U.S. Department of Health and Human Services Office for Civil Rights (OCR) Audit Program online resource is still available for review, the HIPAA Phase 2 program isn’t up and running anymore. “The HIPAA Audit Program has, essentially, been terminated, which is too bad, because the audits, when implemented properly, can be a valuable tool for discovering where there are weaknesses in compliance, either by the fault of covered entities, or through inappropriate regulatory requirements,” says Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems, LLC in Charlotte, Vermont. He adds, “Phase 2 was terminated without coming to a conclusion, and ‘Phase 3,’ yet to come, was identified in the fall of 2018 as a report generating recommendations based on Phases 1 and 2.” OCR did update 13 questions on its Audit Protocol website last summer, with no major changes to HIPAA. The information was “based on the experience gained in questioning during the 2016 round of audits,” Sheldon-Dean notes. “Despite promises from HHS staff, a change history has not been provided, and the update itself was never announced.” Remember: “Audits are meant to be a learning tool for covered entities and HHS,” reminds Sheldon-Dean. “I don’t think the Audit rules will be used for enforcement purposes, as it would require developing a program, while simply responding to complaints and breaches provides plenty of fruit for making examples of rule violators.” Tip: Whether or not the HIPAA Audit Program makes a comeback, there’s never been a better time to up your compliance capital with updated policies. Take advantage of this reprieve to assess your risks and act on them with concrete management tactics. And remember, document everything — because if OCR does roll out the audit patrol, the first thing they’ll ask for is written proof of your compliance plan. Check out the OCR guidance on the HIPAA Audit Program at www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html#when.