OCR Phase 2 HIPAA Audits – The Selection and Audit Process

Posted: Oct 24, 2014
Share This:

Following the phase 1 audit, which focused exclusively on covered entities, the phase 2 audit conducted by The Office for Civil Rights (OCR) will also focus on business associates. From a pool of approximately 550 – 800 covered entities, which have been randomly selected from the National Provider Database and America’s Health Insurance Plans databases, OCR will then issue a mandatory pre-audit screening. This initial survey will address top level information, including organization size measures, location, services and contact information.

After collecting the responses, OCR will select and send requests for data to 350 covered entities in Q3. The request for additional data will include contact information of business associates from these covered entities. From this pool, OCR will select the business associates that will be required to participate in the phase 2 audits.

From the 350 covered entities selected, approximately 150 covered entities and 50 business associates will be audited by OCR for compliance with the Security Standards, 100 covered entities for Privacy Standards, and 100 covered entities for compliance with the Breach Notification Standards. Phase 2 audits of covered entities will be kicked off by OCR in Q3, with the phase 2 audit being initiated for business associates in 2015.

OCR have requested that covered entities and business associates respond within two weeks of receiving the audit request. Failing to respond within this timeframe could result in a referral to the applicable OCR Regional Office for a compliance review.

These data requests will specify the content, file names and any other supporting documentation requirements; and auditors may also further contact covered entities and business associates for clarification or additional documents if necessary. Only current documentation that is submitted on time will be considered as acceptable by OCR.

Unlike the phase 1 audits, phase 2 audits will be conducted as desk reviews with an updated audit protocol, rather than being on-site at the audited organization. OCR will be publishing the phase 2 protocol on their website ahead of the audit to allow entities to prepare for internal compliance assessments.

To ensure that the sharing of sensitive information within your organisation meets HIPAA compliance, contact us today to find out more about our secure cloud-based fax solutions.