OCR Update: HIPAA Phase 2 Audit Notices—Responses Due July 22, 2016

On July 11, 2016, e-mail notification was sent to 167 covered entities alerting them of their inclusion in the desk audit portion of OCR’s 2016 HIPAA audit program. Selected covered entities must respond no later than July 22, 2016. In a second wave, desk audits of business associates will occur this fall.

OCR recommends that all covered entities check their spam filters and junk mail folders for emails from OSOCRAudit@hhs.gov. OCR sent two e-mails to those selected, so covered entities included in the desk audits should locate and carefully review both e-mails. The e-mails include documentation requests (including a request for a complete list of the covered entity’s business associates), instructions for responding, and a link to use in submitting the requested documents, as well as information about an upcoming OCR webinar to explain the audit process.

OCR’s desk audits will examine the selected covered entities’ compliance with the HIPAA Privacy, Breach Notification, and Security Rules, with a specific focus on the following:

  • Privacy Rule:

    • Notice of Privacy Practices & Content Requirements [§164.520(a)(1) & (b)(1)]
    • Provision of Notice – Electronic Notice [§164.520(c)(3)]
    • Right to Access [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]
  • Breach Notification Rule:

    • Timeliness of Notification [§164.404(b)]
    • Content of Notification [§164.404(c)(1)]
  • Security Rule:

    • Security Management Process — Risk Analysis [§164.308(a)(1)(ii)(A)]
    • Security Management Process — Risk Management [§164.308(a)(1)(ii)(B)]

Because of the very short time frame allowed for response and the recent increase in OCR HIPAA-related enforcement and penalties, selected covered entities should prioritize responding.

For more information, see: 

To review the entire document and formatting for this alert (e.g., footnotes), please access the original below: