The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that the agency expects to begin Phase 2 Audits in early 2016. OCR intends to conduct desk audits and on-site audits of covered entities (CEs) and business associates (BAs), and has contracted with FCi Federal, Inc., to conduct the data security audits. OCR will begin sending pre-audit surveys to CEs and will obtain BA information from the survey responses. OCR intends to select 350 CEs and 50 BAs over the next three years to conduct audits. Of the 350 CEs selected, there will be approximately 232 healthcare providers, 109 health plans, and nine healthcare clearinghouses. The BAs selected will include 35 IT-related vendors and 15 non-IT-related vendors. OCR intends to audit 150 CEs and 50 BAs for compliance with the security standards, 100 CEs for compliance with the privacy standards, and 100 CEs for compliance with the breach notification standards.
CEs and BAs that receive notification from OCR of a pending audit will have two weeks to respond to a data request. OCR has been developing a web portal for CEs and BAs to submit their data. OCR intends to email the audit notice and data request to the CEs and BAs, so it is important the entity privacy official alert the C-suite of the email request so the entity can make a timely submission. OCR will accept only documentation submitted on time; therefore, it is important to have documentation collected and available in anticipation of a request. OCR expects entities to cooperate with the audit process, and any failure to respond to OCR’s requests may result in OCR conducting a full compliance review of the entity.