Although the Office for Civil Rights (OCR) has indicated in the past that it would start its next round of HIPAA audits, apparently it means business now. In the wake of an Inspector General report that the OCR was merely investigating data breaches and complaints, the OCR sent a letter to the Inspector General last week indicating that it is moving forward with Phase 2 of its audit program in early 2016.
The audits will concentrate on high risk areas and pervasive non-compliance based upon the Phase 1 audits, will include onsite visits and desk reviews, and will include both covered entities and business associates. In addition, the OCR will be updating its audit protocols and “refining the pool of potential audit subjects.” It is anticipated that over 350 entities will be included in the audits.
In anticipation of launching Phase 2, OCR has chosen FCi Federal as the vendor to conduct the audits. As with Phase 1, the audits will commence with a data request, although the next audits will no doubt focus on data security. Now is the time to get ready for a HIPAA audit, and both covered entities and business associates would be well served by reviewing their HIPAA compliance program to make sure it can pass the test.