The Office of Civil Rights’ (OCR) second round of audits began on Monday, July 11, 2016, when selected covered entities received email notification letters on that day.

The letter asks for a response within 14 days from the date on the letter (July 25, 2016) confirming your organization’s email information with a Yes or No. You can find the sample letter at: http://www.hhs.gov/sites/default/files/ocr-address-verification-email.pdf.

If you, as a covered entity or business associate, do not respond to the OCR email requests OCR will find you by other means and you will still be on their audit list. OCR means business! They state on their web pages under their information and guidance section that EVERY COVERED ENTITY AND BUSINESS ASSOCIATE IS ELIGIBLE FOR AN AUDIT!

I suggest that in the future, and perhaps in the near future, OCR will audit both ALL covered entities, and ALL business associate periodically, every year, and/or every other year. You, as a covered entity or business associate, must be prepared!

Included in this round of OCR audits are:

• Covered individuals and organizational providers of health services;
• Health plans of all sizes and functions;
• Health care clearinghouses; and
• A wide range of business associates.

OCR will select audit locations by looking at a broad spectrum of candidates to assess HIPAA compliance across the industry.

Audit Pre-Screening Questionnaire

Once OCR has confirmed your organization’s email contact information, your organization will get a questionnaire to gather data about the size, type and operations of potential auditees. The audit pre-screening questionnaire is divided into the following sections:

• Basic information;
• Healthcare Providers;
• Health Plans;
• Healthcare Clearinghouses; and
• Business Associates.

Sounds easy and simple … right? You will find one question, the same question, in each specific area that is well beyond the regulations’ standards and implementation specifications, and something that many business organizations do not want to disclose: WHAT IS THE TOTAL REVENUE OF THE MOST RECENT FISCAL YEAR?

I am not suggesting you do not answer this question, but I am suggesting that you talk to your management staff, executive staff, and your attorney, and perhaps OCR before you answer this question.

My rational mind says OCR wants all the data for when they choose both covered entities and business associates for this round of audits. They will post the aggregate data after this round of audits and they will use your organizations’ revenue statements.

My devious legal mind wonders if this information will be used if your organization does not pass an audit and is moved into the investigation stage, and finally be used if your organization is fined.

It would be wise to think through your answers to all questions before you enter them into the new, more secure OCR portal.

Find the pre-screening questionnaire at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/questionnaire/index.html.

Business Associate Listing – Sample Questionnaire

OCR is going to ask the covered entity auditees selected for the second round of audits to identity and provided detailed information regarding their business associates. OCR again provides a questionnaire that includes a spreadsheet template to use. It asks for names, titles and addresses of all business associates.

The first question asks if a covered entity needs to identify and provide information on business associates outside the boarders of the good old US of A.

We are in the belt and suspenders period of this round of audits. By this I mean that the guidance has just been released and can be interpreted in a number of ways and OCR has not as yet stated if they mean that an organization include business associates outside the United States on the list. I suggest that OCR will not answer such a question except by saying that if the entity fits the HIPAA business associate definition it needs to be included on the list. I also suggest that an organization include ALL its business associates on the list no matter what its address is.

Business associates should know by now that they can be audited, but for good business reasons your organization may want to notify your organization’s business associates if you are asked by OCR to send such a list to them.

I again suggest that you talk to your organization’s management, executive committee and attorney before you complete your organization’s business associate list for OCR.

Does your organization have a list of all the organization’s business associates? Now might be the time make or update such a list.

Find the business associate listing questionnaire at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/batemplate/index.html.

How the Audit Program Will Work

OCR will conduct both desk and on-site audits for both covered entities and business associates. The desk audits will be completed by the end of December 2016. The on-site audits will happen in 2017.

All auditees will be notified of the subject(s) of their audits in a document request letter sent via e-mail. The auditee will answer the request within 10 business days using OCR’s new on-line portal.

OCR will then audit the documents and data and send a draft report to the auditee for comments. Note: there is no timeframe within the guidance for the time OCR will take for the audit.

The auditee must return any comments in writing within 10 business days.

OCR will send a final report to the auditee within 30 business days after comment.

I had two clients go through an OCR HIPAA Audit in the first round in 2010, and 2011. One client told me that it took 200 – 300 hours to collect the organization’s HIPAA documentation.

If your organization worked every hour in the 10 business days, it would have 240 hours to work and gather documents. I suggest that all covered entities and all business associates gather their HIPAA documentation together now if it is not already in one place so that your organization is prepared if it receives an audit notification.

Other OCR Audit Guidance

OCR offered a webinar on the new phase of audits on July 13, 2016. They posted both the slides and Q+A from the webinar at:

• Slides – http://www.hhs.gov/sites/default/files/OCRDeskAuditOpeningMeetingWebinar.pdf.
• Q+A – http://www.hhs.gov/sites/default/files/Phase2AuditOpeningMeetingWebinarQ%26A.pdf.

Plus OCR has posed Guidance on Selected Protocol Elements at http://www.hhs.gov/sites/default/files/2016HIPAADeskAuditAuditeeGuidance.pdf. This is only a sample of the protocols. As stated above, OCR will send each auditee a document request for specific documents.

The full set of protocols may be found at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html. The full set of protocols prints to 384 pages or more, depending on computer and printer.

UNKNOWNS AND CONCERNS:

• When will OCR review and audit all covered entities and all business associates?
• What will OCR use fiscal year revenue data for?
• Does OCR’s request for business associates contact information include those with addresses outside the United States?
• Should a covered entity notify its business associates when OCR asks the covered entity for the information?
• Does your organization have a compiled business associate list?
• Does your organization have all HIPAA documentation collected together in one place, or in several known places?

Conclusion

It makes good sense for your organization to plan for an audit before it is audited, using all the guidance tools OCR has provided and continues to provide.