According to the Department of Health and Human Services “The audit program is an important part of OCR’s overall health information privacy, security, and breach notification compliance activities. OCR uses the audit program to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations. The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches. OCR will broadly identify best practices gleaned through the audit process and will provide guidance targeted to identified compliance challenges.”
SO, the questions surrounding Phase 2 are:
WHEN? Currently underway
WHO? Every covered entity and business associate is eligible for an audit. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.
HOW DO THEY CONTACT YOU? Communications from OCR will be sent via email and may be incorrectly classified as spam. If your entity’s spam filtering and virus protection are automatically enabled, we expect you to check your junk or spam email folder for emails from OCR; OSOCRAudit@hhs.gov
HOW DOES THE AUDIT WORK? OCR plans to conduct desk and onsite audits for both covered entities and their business associates. Audited entities will submit documents on-line via a new secure audit portal on OCR’s website. There will be fewer in person visits during these Phase Two audits than in Phase One, but auditees should be prepared for a site visit when OCR deems it appropriate.
See all information from the Department of Health and Human Services here.
Read the Phase 2 Announcment here.
