There’s always something on your daily, weekly or monthly to-do list that loses priority due to today’s five – alarm fire. While there is no getting around attending to the conflagration of the day, eventually those formerly lesser priority tasks have to be addressed.

For many in the Healthcare and Healthcare IT sphere, preparing for Phase 2 of the HIPAA Audit Program is one of those tasks that gets pushed off until someone realizes that it is a five – alarm fire. Truthfully, any business that operates within the lawful confines of HIPAA, should already have matters well in order – but regardless, it’s a complex process. One that requires vigilance and constant review in order to maintain over time.

In April 2016, the Department of Health and Human Services (HHS) started sending out notifications to both Covered Entities (CEs) and their Business Associates (BAs) via email. The Compliance Enforcement Index states:

“The Office for Civil Rights (OCR) has begun to obtain and verify contact information to identify covered entities and business associates of various types and determine which are appropriate to be included in potential auditee pool […] If a covered entity or business associate fails to respond to information requests, OCR will use publicly available information about the entity to create its audit pool. An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.”

There is a time limit on how long a CA or BA has to reply to this initial email and OCR clearly points out that it is your organization’s responsibility to ensure that you see this email and respond within the time limit. The only CEs/BAs exempt from this round of auditing are “entities with an open complaint investigation or that are currently undergoing a compliance review organizations exempt.”

Don’t Panic – But Do Make Sure You Are Ready

To prepare for this phase of audits—the first, easiest, and critical step you need to take is to make sure that you have whitelisted OSOCRAudit@hhs.gov, so their notices don’t go to your spam folder! In fact, this is so important that even if you are 100% sure the email address is whitelisted, go and check it again.

Why is this so important? OCR has clearly stated that they expect you to be aware of this first round as well as any subsequent round of email contacts. They indicate that you have a limited time to respond, which is 14 days from initial contact to verify information and ten days from any contact regarding desk audits or on-site audits. OCR has no concern for whether or not this email notification gets filtered as spam. Once you check to make sure that you’ve whitelisted OSOCRAudit@hhs.gov before, we highly recommend you check your email’s spam filters. Then, look into whether or not the contact email you have provided the OCR as your primary contact is still valid. According to the sample letter that is posted on the HHS site “If we [OCR] do not receive a response from you, we will use this email address for future communications with this entity. Failure to respond will not shield your organization from selection.” The OCR’s email notifications include a deadline for responding to their request for verification of your contact information. The deadlines for response may have already passed, so if you have not responded to the OCR’s first notification, the default is that they will send future notices to this email address.

The first round of desk audits will start with Covered Entities. In the months following, the second series of desk audits will begin for Business Associates. The timeline for completion of these desk audits is December 2016.

However, after these two rounds, some organizations will be selected for more detailed reviews— onsite audits that will carry into 2017. Some companies that were desk audited will also be subject to onsite reviews.

An Increase in The Federal Budget for OCR Means More Resources. And More Audits.

President Obama’s proposed budget for the fiscal year 2017, which begins Oct. 1, includes $1.15 trillion for HHS, up about 3% from the budget authorized for the fiscal year 2016. It calls for about a 10% increase for the OCR to $43 million up from $39 million that was approved for the office in both fiscal year 2016 and 2015. The OCR is seeking funding to move more aggressively into auditing to ensure that both Covered Entities and Business Associates are taking HIPAA compliance seriously. (Budget appropriations must be approved by Congress, so this is more of a statement of priority for funding when Congress is controlled by the opposing party.)

In April of 2016, the OCR published an audit protocol to help organizations prepare for audits, regardless of whether the audits had been triggered by Phase 2 of the HIPAA Audit Program or other factors such as consumer complaint or breach report. The audits include approximately 180 areas of scrutiny and allow only a limited response time of ten days after the notification. Be warned: you will need to have your documentation and requested materials organized and ready to go in the likely event that you are audited.

Before You Dive into It All, Make Sure You Have the Right Partners

The key takeaway from the HIPAA Omnibus Rule is that BAs and their subcontractors are directly liable for HIPAA compliance and any security breaches that result from noncompliance. If you are using a cloud storage provider or managed service provider to create, administer or store your HIPAA-regulated data, and that provider is not able to prove compliance? You should change providers if they are unwilling to become compliant.

As mentioned earlier, there are roughly 180 different areas that may be addressed in an audit. The OCR’s audit protocol specifically calls out “Entities must provide only the specified documents, not compendiums of all entity policies of procedures. The auditor will not search for relevant documentation that may be contained within such compilations,” so a high-level overview will not be sufficient.

If you haven’t already done so, it is imperative that you organize all relevant documentation, and have training programs created and in place to ensure that employees, contractors, and partners are aware of compliance and their role in it. You also must show that you are working with proven HIPAA-compliant providers. These are just a few key elements to preparation for a compliance audit. Depending on the size and nature of your organization, there may be many more.

A failed audit can result in fines, required remediation, high costs, loss of reputation, and loss of business revenue. Even if you survive 2016 without audit or issue, you must keep your documentation and processes up to date. Don’t relax yet. There’s work to be done.

Please visit the HHS Compliance website today for more information.

Additional Resources on This Topic:

Five Common HIPAA Compliance Myths Debunked
What to Look For in HIPAA Compliant Hosting