The best course of action to take if you are a recipient of a letter like this is respond as requested within two weeks. As of now, the Office of Civil Rights in the United States Department of Health and Human Services is seeking to determine who will be the targets of Phase 2 audits for the Health Information Privacy and Accountability Act passed by Congress in 1996.

The function of the Office of Civil Rights within Health and Human Services (HHS) is to be sure that all Americans have equal access to particular health and human services while protecting the privacy and security of related health information.

As your IT vendor for electronic health records, we wanted you to be aware of what OCR at HHS is up to.

Background – Phase 1 Audits

The first round of audits ended in 2012 and were written into law as part of the 2009 stimulus legislation designed to end the Great Recession. That bill contained provisions that beefed up HIPAA in the section on health care IT including some requirements for more stringent privacy and security provisions related to HIPAA.

However, another part of HIPAA was also updated that called for HHS to begin a set of audits to verify compliance with HIPAA rules.

Still another provision of the American Recovery and Reinvestment Act of 2009 established that businesses that contract with direct health care providers in areas such as insurance companies, data clearing houses data handling, processing and analysis must follow HIPAA as well.

During the Phase 1 audits, these business partners of hospitals and physician offices were all but ignored during the first set of audits.

In mid-March 2016 two providers were fined almost $5.5 million to settle alleged HIPAA violations. One of the two providers had contracted with Accretive Health, a Chicago-based company that manages revenue cycles. The OCR claimed that the two entities; the provider and Accretive health did not have a HIPAA-required agreement in place appropriately.

What Should You Expect With Phase 2 Audits?

The Office of Civil Rights within the HHS announced the new audits on March 21, 2016, at the 24th National HIPAA Summit in the District of Columbia. The agency released the following statement,

“OCR uses the audit program to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations. The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches. OCR will broadly identify best practices gleaned through the audit process and will provide guidance targeted to identified compliance challenges.”

Based on information from OCR, it is expected that business partners of direct providers will first be audited through a desk audit or a telephone audit. If information requests from business partners go unanswered OCR will use public information to build its audit subject pool.

It is also expected that the audit reports will be instrumental in creating “tools to improve compliance and prevent breaches, and to determine

“what types of corrective action would be most helpful, according to OCR. OCR is now reaching out to potential auditees by email to verify their contact information, and is identifying pools of organizations that represent a wide range of covered entities (health care providers, health plans and health care clearinghouses) and business associates, so that it can evaluate HIPAA compliance across the industry.”

If you are in the audit lottery as most providers and business partners are pull out your present HIPAA security risk assessment which also includes a work plan and begin to follow-up on issues that have not been closed.

Fines can be significant, so don’t delay.