The Health and Human Services Office of Civil Rights (OCR) has been doing limited audits to ensure covered entities and business associates are in compliance with regulations governing health information privacy, security, and breach notification activities.
This limited Phase 1 has involved about 100 entities over the past year. Information gathered during this limited roll-out has been used to re-tool for a more broad-based audit moving forward. In fact, phase 2 was announced back in March – this phase includes both covered entities AND their business associates.
Phase 2 is already well underway, and OCR has been sending out emails to verify contact information for covered entities and business partners. These contacts will then be put in a hat to select audit participants. HHS is acknowledging that there are reliability issues caused by spam filters: “If your entity’s spam filtering and virus protection are automatically enabled, we expect you to check your junk or spam email folder for emails from OCR; OSOCRAudit@hhs.gov.”
If you DON’T respond then HHS says they will throw you into the audit pool using ‘publicly available information.’ So you should probably add OSOCRAudit@hhs.gov to your spam filter whitelist or safe sender list to make sure you get contact verification email when it comes.
According to HHS.gov:
“Every covered entity and business associate is eligible for an audit. These include covered individual and organizational providers of health services; health plans of all sizes and functions; health care clearinghouses; and a range of business associates of these entities. We expect covered entities and business associates to provide the auditors their full cooperation and support.”
Phase 2 is will include two rounds of desk audits, that is audits conducted remotely. The first round targeting covered entities and the second their business associates. HHS says these desk audits are planned to be completed by December of 2016. Some desk auditees will then be selected for a broader onsite audit.
Here is the kicker – while HSS says that the ‘Audits are primarily a compliance improvement activity’ and designed to help other entities with compliance efforts, they also say that ‘Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate.’
Want to Learn More? Check out Managed IT Support and Services for Medical Practices