The Office for Civil Rights started on the second phase of the HIPAA audits program and will expect a 10-day turnaround on HIPAA documentation requested.

The Office for Civil Rights (OCR) recently posted details about the second phase of their 2016 audit program on the Department of Health and Human Service’s website.  The HIPAA audits program is intended to assess the HIPAA compliance efforts of many organizations, including Business Associates and Covered Entities.  The posting stated that their goal is to “get out in front of problems before they result in breaches.” The OCR will provide guidance based on the results of these audits.

Information-gathering Stage of Phase Two

As stated on the website, the OCR is currently sending out emails to many organizations for information gathering purposes. To determine who will be audited, the OCR is creating a pool of health care organizations.  This pool will include Covered Entities and Business Associates.  The emails are asking for organizations’ contact information to ensure their current records are up-to-date.  If an organization fails to respond to these emails, the OCR will work with publicly available information.  Essentially, you won’t be able to get out of an audit by not responding to their query.

Audit Stage of Phase Two

Once organizations are selected, the OCR will conduct desk audits.  The first round will be for Covered Entities, and the second round will be for Business Associates.  The OCR has not provided information on the requirements for these audits, but it’s likely they will focus on documentation.  According to the post, their plan is to have the desk audits completed by December 2016.

As outlined in the audit-information post, the OCR will notify organizations of the audit selection through email.  Organizations will be required to provide specific documentation and other information in response to the audit letter, through a secure online portal, within 10 business days. Once the OCR has reviewed the information provided, the auditor will provide feedback for the organization to review.  The organization will have 10 business days to review the feedback and submit comments.  After those 10 business days pass, the auditor will complete the final report for each organization within 30 business days.

Once the desk audits are complete, the OCR will then move to on-site audits, which will be more comprehensive.  OCR plans to follow the same time frame for on-site audits. The OCR plans to conduct about 200 desk audits and 10 to 25 on-site audits, according to a Healthcare Info Security publication.

What’s the Takeaway?

The biggest concern for most organizations is the 10 business day turnaround time.  For many organizations, this audit can be stressful, and the added time constraint doesn’t help.  If organizations are not ready, 10 business days does not provide enough time to ensure HIPAA compliance.  It’s better to get ahead of the game and conduct a risk assessment now, if one has not been completed within the last year. The OCR states that if an audit report indicates serious compliance issues, a compliance review will be initiated to investigate the situation further.  This could have serious ramifications for organizations.


Are you protecting your organization from potential OCR HIPAA audits? Sign up for the free trial of HIPAAgps today and start making your organization HIPAA compliant.