In September 2015, HHS’ Office of Inspector General (OIG) issued a report encouraging HHS’ Office of Civil Rights (OCR) to strengthen its oversight of Covered Entities’ compliance with HIPAA privacy standards, and recommending that OCR fully implement a permanent HIPAA audit program. In a response to the OIG report, OCR stated that it planned to start its Phase 2 HIPAA Audit Program in early 2016, which would include a combination of desk reviews and on-site reviews.

In preparation for its Phase 2 audits, in May 2015, OCR sent pre-audit screening surveys to a pool of Covered Entities that may be selected for such an audit.  OCR randomly selected a pool of between 500 and 800 Covered Entities through several databases, including the National Provider Identifier database.  OCR has stated that it will select approximately 350 Covered Entities – the majority of which will be healthcare providers – for Phase 2 audits.

The upcoming Phase 2 audits are different from the Phase 1 audits conducted in 2011 and 2012 in several important ways.  For example, where the Phase 1 audits focused only on Covered Entities, OCR’s Phase 2 audits will be directed towards both Covered Entities and Business Associates.  HIPAA defines a “business associate” as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity.  Examples of HIPAA Business Associates include but are not limited to: vendors, third-party administrators, accountants, attorneys, consultants, and independent medical transcriptionists.

Furthermore, according to OCR, Phase 2 audits will focus on areas of greater risk to the security of PHI and on pervasive non-compliance based on OCR’s Phase 1 audit findings and observations.  OCR has stated that it intends to use the upcoming round of audits to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities.  OCR has made clear that where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil monetary penalties.

Several recent HIPAA settlements help demonstrate the seriousness of compliance.  In September 2015, for example, OCR announced that a 13-physician radiation oncology practice in Indiana agreed to pay $750,000 to settle alleged HIPAA violations.  The physician practice notified OCR in 2012 regarding a breach of unsecured electronic PHI after a laptop bag was stolen from an employee’s car.  In July 2015, St. Elizabeth’s Medical Center, a tertiary care hospital located in Brighton, Massachusetts, agreed to pay over $200,000 to settle alleged HIPAA violations related to employee use of a cloud-based document sharing application to store documents containing electronic PHI.  With Phase 2 audits coming down the pike, and the OIG’s call for OCR to implement a permanent HIPAA audit program, significant HIPAA investigations and settlements are bound to become more common in 2016 and beyond.

The attorneys at Chilivis Grubman work with healthcare entities of all types and sizes on HIPAA compliance issues and in connection with HIPAA audits and investigations.  If we can assist you with these or any other healthcare issues, please contact us at (404) 262-6505 or