HIPAA Phase Two Audit Program
The HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates. This phase will review the policies and procedures to ensure that business associates meet selected standards and implementation specifications of the HIPAA Privacy, Security and Breach Notification Rules. This audit presents an opportunity to examine appliances and tools for compliance, identify best practices, as well as discover issues and vulnerabilities before they turn into breaches.
When Will the Audits Begin and Who Will Be Audited?
Every covered entity and business associate is eligible for an audit. This includes covered individual and organizational health providers, health plans of all sizes and a range of other business associates. Selected covered entities started receiving letters on July 11, 2016 and business associate audits will take place in the fall.
How Will Auditees Be Selected?
OCR is identifying pools of auditees that represent a wide range of healthcare providers, health plans, and other business subordinates. By looking at this wide range of auditees, OCR can better assess HIPAA compliance across the industry – recognizing weaknesses, strengths, and pain points for healthcare organizations.
How Will the Audit Program Work?
OCR will conduct both desk and onsite audits for covered individuals and their business associates. The first set of audits will be desk audits of entities and the second round will be desk audits of business associates. All desk audits will be done by December 2016. The third set of audits will be onsite and will be a more intricate process to further examine a broader scope of requirements.
What is the focus in Phase Two?
The primary focus will be the policies and procedures of desk audits to ensure that OCR is more effective with audits and utilizes fewer resources. OCR further indicates the focus will be on the specific requirements of the HIPAA rules based on Phase 1 findings that surfaced as frequent areas of noncompliance. Therefore, expect target areas to be as follow:
- Privacy: Notices of Privacy Practices and Content requirements, Access of individuals, and Minimum Necessary.
- Security: Security Management Process such as: Risk Analysis, Media Movement / Disposal, and Audit controls and monitoring.
- Breach Notification: Timeliness of Notification and Content of Notification.
If you do not feel as though your healthcare organization or current IT partner is prepared for the upcoming audits or does not have the HIT and/or HIPAA Compliance experience, then it’s time for a serious conversation with our Healthcare IT experts.