The Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) announced on March 21, 2016, that it has officially begun Phase 2 of its Health Insurance Portability and Accountability Act (HIPAA) Audit Program. Phase 2 will consist of more than 200 desk and onsite audits of both covered entities and business associates to determine their compliance with the Privacy, Security, and Breach Notification Rules. By contrast, the Phase 1 pilot audit program conducted in 2011 and 2012 targeted only covered entities and involved just 115 audits.
Business associates include any organization or person working in association with or providing services to a covered entity who handles or discloses Personal Health Information (PHI) or Personal Health Records (PHR). This can mean benefit consultants, third party administrators, health management vendors, and other types of businesses that can be necessary to administer a health and welfare benefit program. It can sometimes also mean accounting firms, auditors, law firms, business consulting firms, and software vendors depending on what services are being provided.
Covered entities should be prepared to verify their contact information and to respond to OCR’s pre-audit screening questionnaire, including providing the names of business associates if requested. The individual identified to OCR as the primary contact at covered entities and business associates should be on the lookout for email communications from OCR, including checking their junk or spam email folders for emails from OCR. When a covered entity or business associate does not respond to a communication from OCR, OCR will use publically available information to create its audit pool, and the entity may nevertheless be selected for an audit or subject to a compliance review.
This announcement indicates an increase in HIPAA enforcement, and is a great opportunity for covered entities as well as business associates to ensure that they are up to date with HIPAA compliance. It is also a great opportunity for phishing attacks. Hackers may try to obtain sensitive information under the guise of OCR or HHS correspondence. Refer any questions or concerns directly to OCR to ensure that all requests are legitimate government inquiries.