The Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR), in continued resolution of its assessment of HIPAA compliance to Privacy, Security and Breach Notification Rules, has begun its second phase of audits.
OCR standardly uses audits as compliance devices, which are integrated with investigatory and enforcement-based supplements. Supplements, which are commonly seen in the form of complaint investigations and compliance reviews. This being said, audits are not indicative of any wrong doing by audited parties, rather they are a necessary tool used to find weaknesses or vulnerabilities in their respective assessments. This is clearly dictated in OCR’s mission, “The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches.”
In the newest phase of the HIPAA Audit Program, OCR will continue its review of covered entities and their business associates. However, this phase of auditing will focus on the policies and procedures adopted and executed by the aforementioned entities and associates. Although these audits will be done mostly at desks they still carry the same vigor and authority as the preceding phase did. Furthermore, it is HHS who foots the cost of audits, not covered entities or their business associates.
The first step of phase two auditing begins with the OCR emailing entities and their associates—requesting address and contact information. OCR will then continue the desk audit by requesting a pre-audit questionnaire, which focuses on determining kay identifying factors, such as size and operation of prospective auditees. Ultimately, this data will be compiled together to produce a comprehensive list of auditees.
However, if an entity does not respond to the OCR, then OCR will use publically available information in its comprehensive list. This is done to ensure that entities that do not immediately comply with pre-audit requests still face the possibility of auditing. Still, it should be noted that OCR is simply reviewing compliance and selection of auditees is not indicative of wrongdoing.
Still, OCR is dedicated to absolute transparency in its auditing process. As the phase two auditing process draws closer, one can expect OCR to update its auditing protocol on its website. OCR’s audits will provide the entire industry with a better understanding of HIPAA compliance, while simultaneously strengthening the policies and procedures of entities involved.