Doctor concerned with health care law

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Health Law Daily, July 17, 2015

OCR Phase 2 audits to focus on specific HIPAA rules

By Sarah E. Baumann, J.D.

Phase 2 of the HHS Office for Civil Rights (OCR) Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) audits may begin soon, according to Adam Greene, a partner at Davis Wright Tremaine LLP and former HHS regulator, and Cliff Baker of Meditology Services, and covered entities (CEs) and business associates (BAs) are likely to be audited based on compliance with individual HIPAA rules. In a Wolters Kluwer-sponsored webinar entitled, “What You Need to Know About Phase II HIPAA Audits,” Greene explained that the OCR planned to begin audits in 2014, but the process was delayed. Unlike Phase 1 audits, which focused on general HIPAA compliance, most of the Phase 2 audits are expected to focus on compliance with one of the following specific HIPAA rules: the Privacy Rule, the Security Rule, or the Breach Notification Rule.

Phase 1 v. Phase 2 audits. The OCR hired contractors who began conducting on-site Phase 1 audits of CEs, authorized by the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA) (P.L. 111-5), in 2011, and made adverse findings for 89 percent of CEs audited. Providers struggled with compliance more than health plans, and smaller organizations struggled more than larger organizations; CEs overall struggled with Security Rule compliance. The OCR plans to conduct its own desk audits in Phase 2 but will conduct on-site audits as staffing allows. Initially, the office suggested that it would conduct 400 audits, of which at least 150 would be Security Rule audits, at least 100 would be Privacy Rule audits, and at least 50 would be Breach Notification Rule audits. However, the OCR may have lowered its target to a figure closer to 200 in order to allow them to perform more on-site audits. While the office only audited CEs in Phase 1, it is expected to audit a limited number of BAs in Phase 2.

Phase 2 process. The OCR has sent and is continuing to send address confirmation letters to CEs; those CEs who receive confirmation letters can expect to be audited and receive surveys in the mail at a later date. Greene noted that organizations have been expecting the audits to begin for a while and opined only that they may finally occur “in the very near future.” During the audit, the OCR will ask CEs for lists of their BAs; it will later select BAs from those lists for auditing. Baker suggests that CEs compare their accounts payable to BA agreements to develop a comprehensive list of BAs. The main area of focus for CE Security Rule audits will be risk analysis; for CE Privacy Rule audits, notice and access to information; and for CE Breach Notification Rule audits, content and timeliness of notification. The OCR will focus on information technology-based BAs but will not perform Privacy Rule audits of those entities. Security Rule BA audits will focus on risk analysis and management and Breach Notification Rule BA audits will focus on breach reporting.

Audit tips. Baker urged CEs and BAs to provide an organized response to audits, naming one person within the organization to serve as a point of contact. When various groups within an organization respond to audits, they may submit conflicting or outdated information that cannot be pulled back. He also emphasized the need to be succinct in responses. Auditors are required to review all information submitted. Submitting more information than is requested may both overwhelm auditors and raise issues that they were not focused on in their initial requests.

Attorneys: Adam H. Greene (Davis Wright Tremaine LLP)

Companies: Meditology Services

MainStory: TopStory ComplianceNews ConfidentialityNews HITNews HIPAANews RiskNews

Health Law Daily

Introducing Wolters Kluwer Health Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.