Please note that Standards referenced throughout this FAQ often apply to multiple sets of PREA Standards. Along with different standard numbers, the different sets of standards use different terminology to refer to the population they house including “inmate,” “detainee,” and “resident.” When referencing a standard that applies equally to all facilities covered under PREA, the language in the question and answer will, unless specified, refer to the Adult Prisons & Jails standard numbers and use the term “inmate” to refer generally to the populations in those facilities. The FAQ search functionality uses the standard numbering from the Adult Prisons and Jails, regardless of the specific setting. When a standard is selected, the search will identify all FAQs related to that standard across all standard settings.

The “Expand All” link will reveal all FAQ search results. To print the results, use the "Print Selection" button, which expands all of them automatically in the printed document. If you want to see all unfiltered results, use the "Reset" button to remove previous selections.

Search DOJ FAQ

Q:

What are the implications for a secure juvenile facility that gets audited and meets full compliance prior to October 1, 2017, but was not audited on Standard 115.313(c) and does not meet the staffing ratio requirement after October 1, 2017? What information does the governor need about compliance with Standard 115.313(c) to certify the state’s or territory’s compliance?

A:

As required under Standard 115.313(c), “…Any facility that, as of the date of publication of this final rule, is not already obligated by law, regulation, or judicial consent decree to maintain the staffing ratios set forth in this paragraph shall have until October 1, 2017, to achieve compliance.” Thus, for many or most juvenile facilities, the juvenile staffing ratio requirement will not take effect until October 1, 2017, just over a month into Audit Year 2 of PREA Audit Cycle 2, which begins on August 20, 2017 and ends on August 19, 2018. Therefore, compliance with the juvenile staffing ratio will first impact each governor’s certification determination for Audit Year 2 of Audit Cycle 2, which will be due to the Department on

October 15, 2018. In order for a governor to submit a certification of full compliance with the PREA Standards for Audit Year 2 of Cycle 2, all facilities under the operational control of the executive branch, including facilities operated by private entities on behalf of the state’s or territory’s executive branch, must be in full compliance with all of the PREA Standards by August 19, 2018, which will include full compliance with Standard 115.313.

For example, in a given state or territory, some juvenile facilities may have been audited during Audit Year 1 of Audit Cycle 2 (August 20, 2016 – August 19, 2017), prior to the effective date of the juvenile staffing ratio requirement on October 1, 2017, and been found in full compliance. If these facilities have not yet implemented the juvenile staffing ratio requirement under Standard 115.313(c) by the end of Audit Year 2 of Audit Cycle 2 on August 19, 2018, these facilities would have met their auditing obligations under Standard 115.401. However, they would not be considered fully compliant with the PREA Standards because of their lack of compliance with the staffing ratio requirement in Standard 115.313(c).

For more information regarding the sources of information that governors should consider when making a PREA certification determination, please click here.

Standard: 115.13, 115.401
Categories: Compliance, Governor's Certification, Staffing Ratio
Q:

At what stage in the audit process is an audit considered complete for the purposes of meeting the requirement that one-third of an agency’s facilities be completed by the end of each year in the auditing cycle?

A:

Starting on August 20, 2016, which is the first day of the first year of the second three year audit cycle, for the purpose of the PREA standards, the audit is considered complete upon issuance of the initial audit report or 45 days after the conclusion of the auditor's on-site visit to the facility, whichever one comes first.

 Revised August 15, 2016. Original posting date June 20, 2014

Standard: 115.401, 115.403, 115.404
Categories: Auditing, Audit Process
Q:

How long must an agency and facility be in compliance with a particular standard or provision before an auditor should find that a facility meets a standard?

A:

A demonstrated record of sustained compliance with a standard during the one-year period preceding the audit will be sufficient to demonstrate audit compliance. Shorter periods of compliance may or may not result in an auditor’s finding of meets or exceeds a standard subject to the guidance below.

In general, auditors will need to see that compliance with a particular standard has become “institutionalized” at the facility. That is to say that a “quick fix” on the day of an on-site tour should almost never be sufficient for the auditor to find compliance. A short period of compliance during an otherwise sustained period of noncompliance should generally result in a finding of “does not meet standard.” By contrast, a discrete period of noncompliance during a period of otherwise sustained compliance should not, by itself, result in a finding of “does not meet standard.” The length of time required to demonstrate sustained compliance will depend upon the requirements of the individual provision being assessed. In any event, the auditor should be provided with sufficient evidence that the facility’s technical and short-term compliance has been “institutionalized” at the facility.

The following is an example of institutionalization: If a facility or an auditor determines that a new external reporting mechanism is required to comply with standard 115.51(b), the mere creation of a satisfactory avenue for external reporting will effect several other standard requirements. The auditor may determine that the new external reporting mechanism should be included in the written policies outlining the agency’s approach to preventing, detecting, and responding to sexual abuse. See 28 C.F.R. § 115.11(a). The auditor may determine that employees, contractors, and volunteers need to be trained on the new reporting mechanism. See 28 C.F.R. §§ 115.31 and 115.32. This will generally require modification, approval, and implementation of the training curriculum. Inmates must receive information on the new reporting mechanism during intake and as part of the 30-day comprehensive inmate education. See 28 C.F.R. § 115.33. The auditor may determine that the inmate education curriculum must be modified, approved, and implemented before these requirements are satisfied. Further, because existing inmates had not been previously provided with comprehensive inmate education setting forth an appropriate avenue for external reporting, all inmates must be informed of the new reporting mechanism. See 28 C.F.R. § 115.33(c). If the new external reporting mechanism also serves as the avenue for the facility to receive third-party reports, then the new reporting mechanism must be reflected on the publicly distributed information pursuant to standard 115.54.

It is important to note that, while a facility corrective action period may last for up to 180 days following the auditor’s issuance of the interim audit report, some corrective action will not require the full 180 days to complete and verify. Indeed, minor or technical violations with the standards may be remedied prior to the 30-day deadline for the auditor to issue the interim audit report—if, unlike the example provided above, the standard at issue does not implicate other related standards.

The standards require that each facility be audited at least once during the three-year audit cycle. See 28 C.F.R. § 115.401(a). Further, the standards require an auditor to review, at a minimum, a sampling of relevant documents and information for the most recent one-year period. See 28 C.F.R. § 115.401(g). Prior to the start of the first audit cycle, the Department of Justice issued the following guidance on this question:

DOJ recognizes that audits conducted toward the beginning of the first audit cycle, which began August 20, 2013, will take into consideration the fact that facilities will have spent a significant period of time institutionalizing the standards. By contrast, a short period of compliance during the end of the audit review period (meaning closer to August 2014 or thereafter) would not be sufficient to achieve compliance. DOJ is working with the PRC to define specific measures auditors will use to assess compliance. Additional information will be forthcoming soon. See Existing FAQ.

This revised and expanded FAQ includes the “additional information” referenced in that previously issued FAQ.

Standard: 115.401
Categories: Auditing, Compliance
Q:

What is the scope of the requirement in standard 115.401(j)? To what extent can and will this provision be enforced?

A:

Relevant Standard:
(j) The auditor shall retain and preserve all documentation (including, e.g., video tapes and interview notes) relied upon in making audit determinations. Such documentation shall be provided to the Department of Justice upon request.

Existing FAQ:
How long must the documents that auditors relied on for making audit determinations be retained? These documents must be retained for 12 months following the deadline for any agency audit appeal. Because audit appeals must be lodged within 90 days of the auditor’s final report, auditors must retain these documents for 15 months following the issuance of the final audit report. Longer document retention may be required in particular instances if so requested by the US Department of Justice.

This standard clearly establishes that it is the auditor who is responsible for retaining and preserving all documentation relied upon in making audit determinations. This includes both documentation relied upon in finding that a facility does not comply with a standard, as well as documentation relied upon in finding that a facility does meet or exceed a standard. If an auditor fails to comply with this provision, the auditor will be subject to actions that bear on the auditor’s continued DOJ certification status (e.g., retraining, restrictions on a certification, decertification, or denial of application for recertification).

The Department of Justice is in the process of finalizing an Online PREA Audit Instrument that agencies and auditors may choose to utilize for securely retaining the documents and information that could be used to satisfy the auditor’s document retention pursuant to standard 115.401(j). The following guidance is provisional and subject to change once the Online PREA Audit Instrument becomes available and fully functional:

An auditor “retains and preserves” all documentation when: 1) the auditor has the continued ability to identify and access the documentation for 15 months following the issuance of the final audit report; and 2) the auditor can, upon request, provide the documentation to the Department of Justice or direct that the documentation be provided to the Department of Justice.

Auditors will typically review and evaluate documentation in two separate circumstances: 1) off-site, before conducting an audit (and potentially post-audit, if needed) and 2) on-site, during an audit. Each circumstance is discussed separately below.

A. Documents that an auditor receives off-site, either before or after an audit.

The PREA Compliance Audit Instrument Checklist of Policies/Procedures and Other Documents lists many documents and categories of documents that an auditor may request and receive from the facility or agency pre-audit. This checklist is not exhaustive. The PREA standards clearly state that an auditor “shall be permitted to request and receive copies of any relevant documents (including electronically stored information).” 28 C.F.R. § 115.401(i).

An auditor may also receive pre-audit documents from other sources, including inmates or community members. This category of documents is straightforward: An auditor must retain and preserve any documents that the auditor has physically or electronically received outside of an on-site audit for the 15-month retention period referenced above.

An auditor currently has the following options for preserving this documentation:

paper copies or other physical format (e.g., video);

any electronic format in the auditor’s physical control (e.g., documents scanned to a computer, thumb drive, or disc); and

any secure electronic format that is accessible to the auditor (e.g., the forthcoming Online PREA Audit Instrument or other secure cloud-based storage).

In selecting a combination of one or more of the formats enumerated above, an auditor must ensure that he or she will be able to readily identify and access all documentation as needed for 15 months after the issuance of the final audit report, and be able to provide it upon request by the Department of Justice.

B. Documents that an auditor receives or reviews on-site, during an audit.

The PREA Compliance Audit Instrument Checklist of Policies/Procedures and Other Documents also lists many documents and categories of documents that an auditor will review during the on-site audit. To the extent practicable, auditors are encouraged to employ one or more of the methods listed above in A.1-3 to retain and preserve much of the on-site documentation for the 15-month retention period. However, some documentation may be extremely burdensome to physically copy or scan. An auditor may consider contracting with the agency or facility, whereby the agency or facility maintains physical possession of the documentation but allows the auditor continued access to the documentation, if needed, and the agency or facility also agrees to allow the documentation to be provided to the Department of Justice, if the Department requests the documents pursuant to standard 115.401(j).

This latter option raises several issues:

The auditor must have the ability to identify the documentation. As an initial matter, then, the auditor must take and maintain scrupulous notes regarding which documentation he or she reviewed during the audit. For example, the auditor could note “training files of every employee hired during the year 201X” or list the actual names of each employee whose training file the auditor reviewed. By contrast, a note of “reviewed 15 training files” would not be sufficient to identify the underlying documentation.

Once the auditor has ensured that his or her notes sufficiently identify the documentation, the auditor must ensure that, for the entire retention period, he or she has the continued ability to identify the documentation. That is, the auditor must understand the facility or agency’s record-keeping system so that the auditor could readily identify, find, and retrieve the documentation for up to 15 months after submission of the final audit report.

Once the auditor has ensured preliminary and continued identification of the documents, the auditor must ensure that he or she will have continued access to the identified documents during the 15-month retention period. The auditor may choose to ensure his or her continued access to the documentation by adding a clause to the auditing contract requiring the agency to provide the on-site documentation to the auditor and the Department of Justice upon written request with reasonable notice during the 15-month retention period.

Finally, the auditor must ensure that he or she can provide the documentation to the Department of Justice upon request, either personally or by directing the agency or facility to do so within the 15-month retention period. Again, the auditor may accomplish this by adding a contract clause stating that the agency or facility agrees to provide the identified documentation to either the auditor or the Department of Justice.

It is important to note that, regardless of any contractual relationship the auditor may enter into with an agency or facility, it is the auditor who retains ultimate responsibility for his or her compliance with this standard. If an auditor fails to retain and preserve all relevant documentation for the 15-month retention period, or fails to provide the documentation to the Department of Justice upon request, he or she will face actions that could bear on the auditor’s continued DOJ certification status.

Standard: 115.401
Categories: Auditing, Audit Process, Information Sharing
Q:

Does my agency have to audit exactly one third of its facilities each year? We are on an ACA audit schedule and ACA does not audit exactly one third of our agencies per year. Do we need to change the auditing schedule to comply with PREA?

A:

Standard 115.401 focuses on audit frequency, timeframes, and specifies, and requires that the agency shall ensure that each facility operated by the agency, or by a private organization on behalf of the agency, is audited at least once during each three-year period. The standards require an audit during each one-year period of at least one-third of each facility type (prison, jail, juvenile facility, overnight lockup, and community confinement facility) operated by an agency or by a private organization on behalf of an agency.

There are two other FAQs that focus on what happens if an agency does not audit exactly one-third of its facilities each year, as follows:

Please click here to read the FAQ that describes what happens to an agency’s three-year audit timeline if it fails to have the required minimum of one-third of its facilities audited by August 19, 2014.

Please click here to read the FAQ that addresses whether there is a time limit to the number of years that a state can submit an Assurance without a reduction in Department of Justice (DOJ) grant funding.

While agencies are not prohibited from coordinating the timing of ACA audits with PREA audits, agencies must audit one-third of each type of facility as specified in Standard 115.401(b), irrespective of the timing of any ACA audit schedule.

Standard: 115.401
Categories: Auditing
Q:

When a confining agency maintains relationships with one or more facilities that are operated by a private organization on behalf of the agency and with a private organization with whom it contracts for the confinement of inmates, what is the confining agency’s obligation under the auditing standards and the audit count calculation?

A:

A facility “operated… by a private organization on behalf of an agency” is required to be audited in accordance with the agency’s audit schedule, and will count as an agency’s facility for purposes of determining the “one-third” annual audit calculation. 

A mere “contract facility” pursuant to standard 115.12 does not count in the contracting agency’s audit requirements.  However, the contracted agency is considered its own “agency” for purposes of PREA, and has its own independent obligations to comply with the PREA standards (including the auditing standards).  This obligation becomes explicit when a contracting agency enters into, or renews its contract with a contracted facility pursuant to the standards.

If a public agency maintains relationships with both types of agencies, the agency should determine which facilities fall within each of the two categories, and include only the former category within its audit timelines and obligations.

See also related FAQs by clicking here or by searching for Categories Auditing, Compliance, and Contracting.

Standard: 115.12, 115.401
Categories: Auditing, Contracting, Covered Facilities, Definitions, Governor's Certification
Q:

What happens to an agency’s three-year audit timeline if an agency fails to have the required minimum of one-third of its facilities audited by August 19, 2014?

A:

The standards require generally that an agency must have “at least one-third” of its facilities audited during each one-year period, which began on August 20, 2013; and that all facilities must be audited by the conclusion of each three-year period, which began on the same date. See 28 C.F.R. § 115.401(a)&(b). Compliance with the audit timeline is evaluated both on a year-to-year basis and at the conclusion of the three-year audit cycle. Failure to comply with the audit timeline during the initial year of an audit cycle does not preclude compliance during years two and three of an audit cycle. Similarly, failure to comply with the audit timeline during the first two years of an audit cycle does not preclude compliance during the final year of each audit cycle. It is important to note that, for purposes of complying with standard 115.401(a) (requiring audits of each facility during the three-year audit cycle), agencies must ensure that each facility is audited at least once by August 19, 2016, and during every three-year anniversary thereafter.

a. By way of hypothetical, what happens if an agency has seven facilities but receives no audits by the conclusion of the first year of the first audit cycle (by August 19, 2014)?

The agency would not be fully compliant with the PREA standards as of August 20, 2014. However, the agency may still become fully PREA compliant during the second year and the third year of the audit cycle. For purposes of the audit cycle, compliance is determined during each specific audit cycle year. So if this agency obtains three facility audits (at least one-third) between August 20, 2014 and August 19, 2015, then the agency would be PREA compliant with the audit cycle during that year.

During the final year of the audit cycle (ending August 19, 2016), however, the agency would be required to have all four remaining facilities audited. This is because an agency has a separate obligation under the standards to ensure that “each facility” must be audited “at least once” during the three-year audit cycle (concluding on August 19, 2016). See 28 C.F.R. § 115.401(a).

b. As another hypothetical, what happens if an agency has only one facility but receives no audit by the conclusion of the first year of the first audit cycle (by August 19, 2014)?

Because the standards require that an agency have “at least” one-third of its facilities audited during each year of the three-year audit cycle, an agency with a single facility is required to receive an audit during the initial year of the audit cycle to be compliant as of August 19, 2014. In other words, an agency with a single facility cannot be said to have had at least one third of its facilities audited by August 19, 2014, if it has had no facility audits. However, a single-facility agency could become fully compliant at any point during the remainder of the three-year audit cycle (concluding on August 19, 2016) subject to a successful audit of that facility. So for example, a single-facility agency that is not compliant as of the conclusion of the first year of the audit cycle because it had received no audits by August 19, 2014, could nevertheless become fully compliant with the audit standards if it receives an audit one month later (early in the second year of the audit cycle) and would remain compliant with this standard through the remainder of the first audit cycle.

Standard: 115.401
Categories: Auditing, Audit Process, Compliance
Q:

How long must the documents that auditors relied on for making audit determinations be retained?

A:

These documents must be retained for 12 months following the deadline for any agency audit appeal. Because audit appeals must be lodged within 90 days of the auditor’s final report, auditors must retain these documents for 15 months following the issuance of the final audit report. Longer document retention may be required in particular instances if so requested by the US Department of Justice.

Standard: 115.401
Categories: Auditing, Audit Process, Information Sharing
Q:

Can PREA auditors engage support staff to assist with completing PREA audits?

A:

PREA auditors may employ staff to provide assistance, including conducting interviews, but the DOJ-certified auditor is ultimately responsible for the final audit. In addition, the certified auditor is required to be present for, and supervise, the entirety of the on-site portion of the audit; to be the counterparty in an agency’s contractual engagement for the conduct of the audit; and to sign and certify the interim and final audit reports.  Failure to adequately supervise such support staff could have consequences for the responsible auditor, up to and including decertification by the Department of Justice.  

Standard: 115.401
Categories: Auditing, Audit Process
Q:

Does the Health Insurance Portability and Accountability Act (HIPAA) limit the ability of medical professionals to report information to a facility related to sexual abuse of an inmate? Does HIPAA limit an agency’s ability to disclose medical information to a PREA auditor?

A:

No. The HIPAA regulations expressly allow medical providers to provide to a facility with lawful custody of an inmate any information necessary for (among other things) “[t]he health and safety of such individual or other inmates” or “[t]he administration and maintenance of the safety, security, and good order of the correctional institution.” 45 C.F.R. § 164.512(k)(5)(i).

Disclosures made pursuant to a PREA audit are also permissible under HIPAA pursuant to the regulatory exception for “health oversight activities.” 45 C.F.R. § 164.512(d). The HIPAA regulations allow disclosure to “a health oversight agency for oversight activities authorized by law, including audits,” where necessary for appropriate oversight of (among other things) “[e]ntities subject to government regulatory programs for which health information is necessary for determining compliance with program standards” or “[e]ntities subject to civil rights laws for which health information is necessary for determining compliance.” 45 C.F.R. § 164.512(d)(1). The HIPAA regulations define “health oversight agency” to include any person or entity operating under the authority of a public agency who is legally authorized “to oversee . . . government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.” 45 C.F.R. § 164.501. Because a PREA auditor qualifies as a health oversight agency, and the auditor’s work qualifies as a health oversight activity, HIPAA poses no bar to the disclosure of relevant information to the auditor. Although information may be disclosed to a certified PREA auditor, any public report or statement released by the PREA auditor must not include protected health information.

Standard: 115.401
Categories: Auditing