On July 12, 2016, HHS's Office for Civil Rights (OCR) distributed an e-mail discussing recent developments in Phase II of its HIPAA audit program.
For those looking to catch up on the Phase II audits, we provided readers with an overview of the audits back in March. In April, we discussed the HIPAA Audit Protocol that OCR is using to conduct the Phase II audits. And in May, we alerted readers to the notifications that OCR was e-mailing to covered entities in an effort to verify their contact information.
In its latest e-mail, OCR confirms that notification letters were delivered on Monday, July 11, 2016, to 167 health plans, health care providers and health care clearinghouses notifying them of their inclusion in the desk audit portion of the audit program. The desk audits will examine the selected entities' compliance with HIPAA's Privacy, Security, and Breach Notification Rules by examining certain documentation that the entities are required to maintain under HIPAA. OCR provides the following table setting forth the subject matter of the documentation review:
Notably, the three areas covered under the Privacy Rule relate to how patients are made aware of their rights under HIPAA and how they can access their own medical records. The desk audit does not focus on policies related to uses and disclosure of PHI. This emphasis dovetails with OCR recent efforts to educate patients and providers about patient access rights (which we previously covered here).
Entities have 10 business days, until July 22, 2016, to respond to the document requests.
OCR separately notes that desk audits of business associates will be occurring this fall. We will continue to follow developments in the Phase II audit program and bring you updates and analysis as they occurs.