ALERT: HIPAA Audit Letters Have Been Mailed

On Monday, March 21, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced that Phase 2 of the HIPAA Audit Program has begun. Phase 2 audits will begin with "desk reviews" of Covered Entity and Business Associate HIPAA policies and procedures. A recently published OCR guide states that more thorough compliance reviews may be triggered if a desk review uncovers a serious compliance issue. Letters requesting updated contact information have already been mailed. These letters will be followed by a pre-audit questionnaire that begins to dig into recipients' compliance protocols. 

Desk audits will be completed by December 2016, so there is still time to protect your company or practice. In preparation for potential OCR audits, health care providers and health technology companies should conduct an internal audit of their compliance with State and Federal privacy and security rules, including HIPAA, and begin to address any shortfalls. OCR's increased budget and strategic plans related to HIPAA enforcement should remind the healthcare community of the growing commitment of the Federal Government to strictly enforce its privacy and security protections. Contact your healthcare attorney for advice on how to address your compliance posture.