Phase 2 of the HIPAA audits is fully underway.

Phase 2 of the HIPAA audits is fully underway, and covered entities now can take a breath if they have not received a desk audit request. But we still are at the beginning of Phase 2, with more to come. One of the best ways to ensure that your HIPAA compliance is in order is to prepare as if an audit is imminent. Here are some steps that covered entities and business associates can take to further prepare:

  • Business associates should verify that risk analysis, risk management, and breach notification policies and procedures, and supporting documentation, are in place and readily available.
  • Covered entities and business associates should leverage the Office for Civil Rights’ (OCR) updated audit protocol that ITPAC uses, to prepare for the possibility of an onsite audit and improve their compliance posture.
  • Covered entities should also focus on likely areas of future desk audits, such as device and media controls, transmission security, privacy safeguards, privacy training, encryption and decryption, and facility access controls.

OCR’s Phase 2 audits involve desk audits and onsite audits of covered entities and business associates. Covered entities were audited on one of the following:

  • Privacy/Breach practices for notice of privacy practices, the individual right of access, and breach notification.
  • Security practices concerning information security risk analysis and risk management.

Each audited covered entity also was required to provide a list of its business associates and associated contact information.

In addition to the desk audits, OCR is moving ahead with onsite, comprehensive audits. These audits have been delayed until 2017. These audits are where the OCR will use the full audit protocol that was updated in April. Covered entities and business associates will be notified of onsite audits next year via e-mail, followed by an entrance conference and a three- to five-day onsite audit. They then will receive a draft report and have only 10 business days to respond to the draft findings, which could cover hundreds of audit inquiries.

Assessing compliance against the audit protocol is a daunting task and should be treated as a substantial compliance project. It’s time to start preparing.

This is Only Phase 2. Based on an OCR presentation from 2014, future desk audits of covered entities likely will focus on:

  • Device and media controls
  • Transmission security (e.g., encryption of emails and other communications)
  • Privacy safeguards (e.g., physical security of paper records, administrative safeguards to reduce the risk of misdirected faxes, etc.)
  • Privacy training
  • Encryption of data at rest.

Now is a good time for covered entities to verify that they have policies and procedures with respect to the above HIPAA provisions in place, along with documentation demonstrating implementation of the policies and procedures.

The OCR has indicated that the Phase 2 audits are the start of a more permanent audit program. Accordingly, while the first batch of desk audits is already out the door, covered entities and business associates should continue to prepare for the many audits to come. Preparation should improve overall compliance efforts, better preparing organizations for responding to OCR investigations that are triggered by complaints or breaches.

If you have any questions about the Phase 2 audits facing hospitals and the training and strategies that can protect your hospital, give ITPAC a call.