Question: Our medical office recently received a contact verification email from OCR. Does this mean we’re selected for the HIPAA Phase 2 audits?
Texas Subscriber
Answer: “Not necessarily,” says Seattle-based attorney Casey Moriarty of Ogden Murphy Wallace PLLC. “Although receipt of the communication is not a guarantee of an audit, it is the first step in a process that may lead to a comprehensive HIPAA compliance audit of your entity.
In the first part of the Phase 2 audit process, the HHS Office for Civil Rights (OCR) emailed “Audit Entity Contact Verification” forms to prompt recipients to verify that they are the primary contact for the HIPAA audit program, Moriarty explains. “Covered entities and business associates who receive the form should respond and not ignore the OCR’s request for verification. The OCR has made it clear that entities who do not respond could still be subject to an audit.”
After verifying your contact information, OCR will send you a questionnaire regarding the size, type, and operations of your organization. You’ll also need to identify each of your business associates. OCR will then use this information to put together its pool of potential auditees.
Finally, OCR will randomly select entities from this pool for participation in the Phase 2 HIPAA audits. If selected, you’ll need to visit an OCR website and upload your HIPAA privacy policies, security policies, and most recent risk assessment, Moriarty noted. Based on this information, OCR may arrange for an on-site visit.
Bottom line: Although receiving the Audit Entity Contact Verification message doesn’t necessarily mean that OCR will select your organization for a HIPAA audit, OCR will likely place your organization into the pool from which OCR will select entities to audit, Moriarty says.