As part of an ongoing effort to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun the second phase of audits for HIPAA covered entities. The first phase of the audits was conducted in 2011 and 2012 and evaluated the controls and processes implemented by 115 covered entities in order to comply with HIPAA’s requirements. This second phase of audits builds upon the findings of that first audit, and will address compliance efforts by both covered entities and their business associates.
The second phase of the OCR audits is focused primarily on compliance with HIPAA directives related to privacy, security, and breach notifications. Currently, details about the specific documentation that will be required is unavailable, but the OCR has noted that the audit will only deal with compliance with federal guidelines. Compliance with state regulations will not be addressed at all. Still, even though the specifics of the audit are still under wraps, now is a great time to review your own compliance with HIPAA rules and begin gathering documentation.
The HIPAA Audit Process: An Overview
Earlier this summer, the OCR sent notification to all HIPAA-covered entities requiring them to confirm the contact details for their organization and all business associates that handle protected data by the end of July. Once contact details are confirmed, the OCR will send out preliminary surveys to gather more information about specific organizations and their data protection protocols. From those survey responses, several hundred organizations will be chosen for desk audits, which means that they will be required to submit specific, requested documentation as instructed.
While the Phase 2 audits have many health care executives concerned, the OCR has noted that only several hundred entities will be selected for an audit, and of those, a very small percentage (only about 25 to 50 organizations total) are expected to move on to a full, on-site audit. Still, because there is no way of knowing whether your organization will be selected for audit, you need to prepare and be ready to go should that be the case.
The OCR is quick to point out that the Phase 2 auditing process is not intended to be punitive, and that the purpose is rather to identify best practices and potential weaknesses as a means to provide better guidance to covered entities on how to more effectively comply with HIPAA regulations. That being said, regulators do note that should there be serious deficiencies discovered during the process, then there could be sanctions or other corrective actions taken.