As part of an ongoing effort to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun the second phase of audits for HIPAA covered entities. The first phase of the audits was conducted in 2011 and 2012 and evaluated the controls and processes implemented by 115 covered entities in order to comply with HIPAA’s requirements. This second phase of audits builds upon the findings of that first audit, and will address compliance efforts by both covered entities and their business associates.
The second phase of the OCR audits is focused primarily on compliance with HIPAA directives related to privacy, security, and breach notifications. Currently, details about the specific documentation that will be required is unavailable, but the OCR has noted that the audit will only deal with compliance with federal guidelines. Compliance with state regulations will not be addressed at all. Still, even though the specifics of the audit are still under wraps, now is a great time to review your own compliance with HIPAA rules and begin gathering documentation.
The HIPAA Audit Process: An Overview
Earlier this summer, the OCR sent notification to all HIPAA-covered entities requiring them to confirm the contact details for their organization and all business associates that handle protected data by the end of July. Once contact details are confirmed, the OCR will send out preliminary surveys to gather more information about specific organizations and their data protection protocols. From those survey responses, several hundred organizations will be chosen for desk audits, which means that they will be required to submit specific, requested documentation as instructed.
While the Phase 2 audits have many health care executives concerned, the OCR has noted that only several hundred entities will be selected for an audit, and of those, a very small percentage (only about 25 to 50 organizations total) are expected to move on to a full, on-site audit. Still, because there is no way of knowing whether your organization will be selected for audit, you need to prepare and be ready to go should that be the case.
The OCR is quick to point out that the Phase 2 auditing process is not intended to be punitive, and that the purpose is rather to identify best practices and potential weaknesses as a means to provide better guidance to covered entities on how to more effectively comply with HIPAA regulations. That being said, regulators do note that should there be serious deficiencies discovered during the process, then there could be sanctions or other corrective actions taken.
Preparing Your Organization for Audit
Among the main topics that the Phase 2 audits intend to examine several key areas of HIPAA compliance, including:
- Risk analysis
- Risk management
- Notices of privacy practices
- Data access protocols
- Response to requests for access to protected data
- Timeliness of breach notifications
Again, these areas do not cover every aspect of HIPAA compliance, and your primary efforts should be focused on documentation and related to these areas, but it’s not a bad time to conduct an overall assessment of your HIPAA IT compliance at this time as well.
Some experts recommend that you prepare for the audits the same way that you would for a HIPAA compliance investigation. This might include:
- Conducting an updated risk assessment to identify areas of vulnerability, and developing a plan for mitigating those vulnerabilities.
- Reviewing and updating your notice of privacy practices, if necessary.
- Reviewing and updating breach notification procedures. If you have had a breach, collect all documentation of the corrective action taken (including explanations about why certain actions were not taken, if necessary) and the steps you took to mitigate the breach.
- Reviewing your medical records request policies. Outline your procedure for authenticating requests.
- Evaluating the controls you have in place to restrict access to electronic medical records.
- Reviewing business associate agreements to determine the proper HIPAA protocols are in place.
- Reviewing physical security of facilities and mobile devices, and developing plans for improved security if necessary.
The OCR is going to request written documentation of your compliance efforts via an online portal, so as you begin preparations, be sure you have everything in an electronic format to be sent right away. Above all, though, do not panic: While being selected for the audit might sound alarming, the chances of you needing an on-site audit are slim, and it’s even unlikelier that you will face sanctions.
This is a sponsored post.