HIPAA Privacy, Security, and Breach Notification Audit Program: Phase 2 Now Underway

On June 21, 2016 By Tevis

On March 21, 2016, the Health and Human Services Office’s (HHS) Office for Civil Rights (OCR) launched the second phase of its audit program to review compliance with Health Insurance Portability and Accountability Act’s (HIPAA) privacy, security, and breach notification rules. OCR has started sending email letters (see sample letter) to covered entities and business associates requesting information within 14 days of receipt. But that is just the beginning. The purpose of this Alert is to provide plan sponsors with a practical overview of the OCR’s audit process.

Opening Note of Caution

HHS has conducted a number of random HIPAA audits since the enactment of HIPAA’s Health Information Technology for Economic and Clinical Health Act (HITECH Act). I have represented clients who have undergone Phase 1 HIPAA audits. These audits are quite thorough. In Phase 2, the OCR will analyze plan sponsor risk assessments and follow-up on what plan sponsors have done to resolve any security risks that exist. It continues its investigation until the risks have been removed. Once OCR is satisfied, it will issue its closing letter.


The HITECH Act requires HHS to conduct proactive and periodic audits of covered entities and business associates to assess compliance with HIPAA’s privacy, security and breach notification requirements. OCR implemented a pilot audit program (Phase 1) that concluded in December 2012. Phase 1 audits were performed on 115 covered entities (47 health plans, 67 health care providers, and 7 health care clearinghouses). The OCR’s report to Congress concluded the following:

OCR used the Phase 1 report to shape the Phase 2 audit program.

Phase 2 Audit Program Details

Under the Phase 2 audit program launched in March, the OCR intends to audit a wide range of covered entities (plans, providers, and clearinghouses) and different types of business associates.

Steps One and Two: The first step of the Phase 2 audit program involves remote desk audits of covered entities, based on documents and other information received in response to an information request. The second step will be remote desk audits of business associates in the same manner as conducted with covered entities.

After reviewing the information, the auditor will provide draft findings, allowing 10 business days for written comments. A final audit report will be completed within 30 days and then sent to the audited entity. Steps One and Two are expected to be completed by December 2016.

Step Three: Finally, the OCR will conduct on-site audits examining a broader scope of HIPAA requirements. Both covered entities and business associates, including those that have already undergone a desk audit may be subject to follow-up on-site audits. On-site audits will include an entrance conference, followed by three to five days of on-site work. As with desk audits, entities subject to an on-site audit will be given an opportunity to comment on the draft audit report, and a final report will be shared with them. If an audit report indicates a serious compliance issue, OCR may investigate further.

Action Steps for Employers

Many employers have already taken steps needed to comply with HIPAA’s requirements such as creating written Privacy and Security policies and procedures and conducting workforce member training, but may have overlooked the need to conduct a periodic Risk Analysis. If you do not have a current Risk Analysis, below are some action items to consider for your health plan:

It is important to conduct risk assessments on a regular basis and to maintain detailed records of your findings before you receive an audit notice from the OCR or you learn that your health plan has had a Breach (i.e., unauthorized access or disclosure of PHI).

Compliance Audit Checklist

The following is an informal audit checklist to help you focus on the kinds of things you must address, regardless of the size of your organization, if you receive, store, or create PHI.

  1. Do you have a Privacy and Security Officer?
  2. Do you limit access to protected health information to individuals who have account responsibility on an account-by-account basis? Does the hard drive have firewalls?
  3. Have you identified high risk activities, such as:
    • Transmitting protected health information (PHI) to a third party by facsimile or by unencrypted email?
    • Storing PHI on portable hard drives such as laptops, USB thumb drives?
    • Using permanent passwords for access to PHI?
    • Keeping hard copy PHI in separate folders but in unlocked file storage?
    • Permitting access to PHI by unauthorized users with shared passwords?
  1. Have you limited access to PHI to those individuals who have HIPAA training and a “need to know?”
  2. Do you conduct regular HIPAA training sessions?
  3. Have you implemented the following procedures?
    • Locking records and allowing access only to those individuals with a need to know due solely because of client assignments?
    • Requiring all users with PHI access to log off when they are not at their desks and to put away written materials as needed for security purposes?
    • Using privacy screens to minimize incidental disclosure?
    • Establishing a user-monitoring system to allow for utilization audits?
    • Conducting periodic utilization audits?
    • Shredding all paper records including PHI before discarding it?
    • Establishing a secure log of the location, use, and user of each piece of PHI provided to you for any reason as a Business Associate?
  1. Additional security items:
    • Protect computers from viruses or malicious software.
    • Protect PHI that is removed from the office or accessed remotely (e.g. encryption).
  1. Develop written security policies.
  2. Review locks and building security systems.
  3. Analyze the size of your organization and the layout of your facility to determine the optimal location for data storage. If stored on site, assure that the location is locked at all times with access only when necessary to perform your job.
  4. All staff members need unique user IDs (login ID or name). Establish a written policy against sharing login IDs and passwords. Do not store IDs and password electronically. Do not allow the use of unauthorized software or hardware.
  5. Establish written policies governing the transmittal of PHI via email as well as breach notifications rules. Install encryption software.
  6. Require that all cell phones used by your staff be locked and stored out of sight when not in use and encrypt any PHI stored on such devices.
  7. Train staff to report any security incident immediately to his/her supervisor or to the Privacy and Security Officer.
  8. Train all staff who will have access to PHI in the rules established for providing notice of a privacy/security breach.

Copyright © 2016 Alfred B. Fowler, Attorney at Law · All Rights Reserved. Reprint with permission only. This Benefits Alert is published as an information source for our clients and colleagues. It is general in its nature and is no substitute for legal advice or opinion in any particular case.

Tags: ,