FISHERBROYLES.COMTH E NE XT GE N E R AT IO N LA W F I RM®

HIPAA 2016 Audits Phase 2: Covered Entities and Business Associates Take Notice

PRACTICE AREA / INDUSTRY: HEALTHCARE; WHITE COLLAR LITIGATION & GOVERNEMENT INVESTIGATIONS

Brian E. Dickerson Anthony J. Calamuncibrian.dickerson@fisherbroyles.com anthony.calamunci@fisherbroyles.com202.570.0248 419.376.1776

Nicole Hughes Waidnicole.waid@fisherbroyles.com202.906.9572

March 22, 2016

As part of its continued effort to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the U.S. Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) announced yesterday that it has begun its next phase of audits of covered entities and their business associates. In the 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures of covered entities and their business associates through desk audits however, some on-site audits will also be conducted.

This second phase of audits follows OCR’s 2011-2012 pilot program of 115 entities. From the data collected and results achieved, OCR developed enhanced protocols to be used in the 2016 Phase 2 HIPAA Audit Program, including a new strategy to test the efficacy of desk audits in evaluating compliance with privacy, security and breach notification rules. OCR is identifying pools of covered entities and business associates that represent a wide range of health care providers, health plans, health care clearinghouses and business associates. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.

The first desk audits will be for covered entities, followed by a second round of desk audits of business associates. All desk audits in this phase will be completed by the end of December 2016. A third set of audits will be onsite

FISHERBROYLES.COMTH E NE XT GE N E R AT IO N LA W F I RM®

and will cover a broader scope of requirements from the HIPAA Rules than desk audits. It is anticipated that results from desk audits may trigger a subsequent onsite audit and potential investigations if deficiencies are uncovered.

The audits are underway to review the policies and procedures of covered entities, beginning with an email notification requesting contact information from OCR. Click here to view a sample email. The emails will originate from OSOCRAudit@hhs.gov and if your entity’s spam filtering and virus protection are automatically enabled, OCR expects you to check your junk or spam folders for their email. Failure to respond to the notification email may result in OCR using publicly available information to create its audit pool, thus a desk or onsite audit notificationmay not reach the appropriate company representative in a timely fashion. OCR will create a pool of targets for desk and onsite audits from the responses to the initial emails.

If your entity is chosen for a desk audit, requested information must be submitted electronically within 10 business days of the request. OCR will provide draft findings and auditees will have 10 days to review and return written comments. Similarly, entities chosen for onsite audits will also receive an email notification. OCR will schedule an entrance conference to provide more information about the process and onsite audits will be conducted over a 3-5 day period, depending upon the size of the entity. Entities will have 10 business days to review draft findings and provide written comments to the auditor. OCR will complete and provide a final audit report within 30 business days.

As we have advised in our recent client alerts regarding HIPAA enforcement trends, we believe the 2016 Phase 2 HIPAA Audit Program will have a keen focus on business associates and covered entities’ Business Associate Agreements (“BAAs”). Business associates have been covered by HIPAA only since 2013, therefore compliance with the HIPAA Privacy, Security and Breach Notification Rules may not be as robust or as fully vetted as required by OCR. Business associates that conduct third-party billing, data analysis, storage and management, as well as the covered entities who have BAAs with these vendors, are particularly vulnerable to being a target of OCR audits. Covered entities and business associates must exercise due diligence in reviewing their HIPAA compliance programs and conducting system wide audits of their PHI safeguards to identify and update areas that may have vulnerability and could put personal health information at risk.

For further information on the subject matter of this alert, please contact the following FisherBroyles attorneys:

Brian E. Dickersonbrian.dickerson@fisherbroyles.com202.570.0248

Nicole Hughes Waidnicole.waid@fisherbroyles.com202.906.9572

Anthony J. Calamuncianthony.calamunci@fisherbroyles.com419.376.1776