Rumors of impending Phase Two HIPAA audits are growing about as fast as the list of HIPAA breaches. But are you ready? And what should you expect?
According to a February Healthcare Dive article, a recent survey revealed that only 58% of respondents said they had a HIPAA plan; 23% said they did not; and 19% were unsure. Two-thirds of the respondents were unaware of the HIPAA audits, and only a third had conducted a HIPAA-required risk analysis.
Phase One onsite audits were performed on 115 covered entities by an outside contractor in 2011 and 2012. Phase Two audits will be expanded to include both covered entities and business associates and will be completed internally as desk audits. Phase Two was supposed to have begun in 2014. So far, however, the industry is still waiting.
According to a presentation by Linda Sanches, MPH, Senior Advisor on Health Information Privacy for the U.S. Department of Health and Human Services Office for Civil Rights (OCR), at the HCCA Compliance Institute in March 2014, the Phase Two audits are expected to take place over three years.
The first round will begin with Covered Entities and will evaluate for the following:
- security (risk analysis and risk management),
- breach (content and timeliness of notifications), and
- privacy (notice and access).
Then, round two is expected to move to Business Associates, auditing for these factors:
- security (risk analysis and risk management) and
- breach (breach reporting).
Next, the process would return to another round of auditing select Covered Entities, this time addressing:
- security (device and media controls and transmission security) and
- privacy (safeguards, training to policies and procedures).
Finally, OCR would circle back around and audit for various elements of security, including:
- encryption and decryption,
- facility access control (physical), and
- other areas of high risk as identified by the earlier rounds of audits, breach reports, and complaints.
According to Sanches’ presentation, organizations who are selected for audit can expect the following from OCR:
- Data requests will specify content and file organization, file names, and any other document submission requirements.
- Only requested data submitted on time will be assessed.
- All documentation must be current as of the date of the request.
- Auditors will not have opportunity to contact the entity for clarifications or to ask for additional information, so it is critical that the documents accurately reflect the program.
- Submitting extraneous information may increase the difficulty for auditors to find and assess the required items.
- Failure to respond to requests may lead to referral for a regional compliance review.
To prepare your practice for an audit, here are a few suggestions:
- Conduct a risk analysis of your practice using this tool.
- Review the OCR audit program protocol and address all items in the “Audit Procedures” column.
- Maintain an accurate and updated list of your business associates and make sure you have current business associate agreements on file. Covered entities who are selected for audit will be required to produce a list of all business associates.
- Make sure all pieces of your compliance program are documented and up-to-date. Include the date of every change, update, and review.
- Inform and train your staff on all elements of your HIPAA compliance program.
For more detailed advice on preparing for Phase Two HIPAA audits, review the following white papers:
- HIMSS “Preparing for the Phase II HIPAA Audits”
- PWC’s “Preparing for Phase 2: The next generation of HIPAA audits”
— All rights reserved. For use or reprint in your blog, website, or publication, please contact us at cipromsmarketing@ciproms.com. Photo by Jeremy Segrott via Flickr used with permission under the Creative Commons License.
