You may recall the Office of Civil Rights (OCR) is required by the HITECH Act of 2009 to conduct random audits of covered entities and business associates. Since that time the audits have been hit or miss—mostly miss.
In 2011 and 2012, the OCR conducted Phase I pilot audits. The goal of these audits was to evaluate how covered entities and business associates were complying with the HIPAA requirements. The audits accomplished three things. They helped identify best practices for compliance among covered entities and business associates, find risks and vulnerabilities, and test the OCR’s newly developed audit protocols.
In March 2016, the OCR launched the Phase II HIPAA Audit Program. The Phase II Audits targeted HIPAA Standards that showed the highest incidence of non-compliance in the pilot audits; including areas such as risk analysis and risk management, Notice of Privacy Practices, training, and policies and procedures.
OCR randomly selected 167 covered entities for an audit. The majority of those selected were audited via a desk audit, meaning they were audited remotely. Only a small number was selected for a comprehensive onsite audit. Since 2017, no random audits were conducted.
Fast forward to 2024 and the Change Health Care breach. This unprecedented data breach may have impacted as many as one-third of Americans whose protected health information was viewed and stolen by an unauthorized third party. As a result, the OCR is reinitiating random audits in the latter part of 2024.
Here are two important tips we shared in a previous blog in the event you are selected for an audit:
- Pay close attention to the response deadline. The clock starts ticking on their postmark date, not the date you received the letter, for example. And remember, its calendar days, not just the days your practice is open.
- Understand the gravity of these audits. The pilot audits in Phase I were performed remotely by subcontractors with no penalties levied. Phase II Audits will be conducted onsite by OCR staff. This phase could most likely include fines for noncompliance.
Compliance readiness is the best strategy. Here are two ideas. Conduct a self-audit and immediately correct any areas of noncompliance. Sign up for the Dental Compliance Institute’s Advanced HIPAA course to arm yourself with knowledge.
Keep Benjamin Franklin’s wise words in the forefront of your mind, “Don’t put off until tomorrow what you can do today.”