The Office of Civil Rights (OCR) of the Health and Human Services Department (HHS) has just announced it is starting HIPAA Phase 2 Audits, this time focusing on business associates (BAs) as well as covered entities (CEs). This phase was actually announced back in 2013 as OCR completed its initial HIPAA audits of a sample of covered entities, which ranged from large providers and health plans with extensive use of health information technology (HIT) to small providers/laboratories, etc., with little or no use of HIT. The HIPAA Phase 2 Audits have been planned for the past two years, but are only now getting underway. In this phase, every CE and BA is eligible to be audited!
HIPAA Phase 2 Audits – Initial Contact
The OCR will begin the process by sending an email to a CE or BA to verify the address and contact information. This contact will result in the organization receiving a pre-audit questionnaire asking about organizational characteristics, which in turn will be used to create a potential pool of audit subjects.
Here’s the catch: if you fail to respond to the initial contact or to return the questionnaire, you may still be selected for an audit – or even for a compliance review by OCR. The OCR expects to post an updated version of its audit protocols prior to starting the audits, and suggests CEs/BAs utilize the audit tool to conduct their own internal self-audits.
HIPAA Phase 2 Audits – You have been selected!
OCR will develop a random sample of CEs and BAs by size, activities, affiliations and other factors (including enforcement actions). CEs will be asked to identify their business associates, including contact information, and BAs will then be selected to join the pool of auditees. Failing to respond to a notice your organization has been selected will not get you out of the audit.
The HIPAA Phase 2 Audits will be conducted as both desk audits and on-site audits. The first round of desk audits will cover CEs, and the second round will include BAs. Audit subjects will be required to submit their policies/procedures and other documentation supporting their compliance with the HIPAA Privacy and Security Rules.
The on-site audits are supposed to be broader in scope than desk audits. The on-site audits will include both new CEs/BAs and those who were part of the desk audit subject pool.
Preparing for HIPAA Phase 2 Audits
First, if you are not sure the OCR has a record of your organization’s primary contact for HIPAA Privacy, Security and Breach issues, send an email to
OS********@hh*.gov
. Then make sure everyone in your organization knows who the HIPAA Privacy and HIPAA Security Officers are. It will be vital to receive and respond to email notifications from OCR, and sometimes correspondence comes by regular mail, too.
Second, dust off the results of your last HIPAA Risk Assessment and review your corrective actions to make sure you have addressed all of them – or documented why you didn’t.
Third, gather your documentation of staff training, your security and privacy breach incident plan, your list of business associate agreements, your technology inventory (software and hardware) and all of your HIPAA-related policies and procedures.
Finally, download a copy of the protocol OCR will utilize to perform desk and on-site audits. But be prepared: the audit protocol issued by OCR during its Phase 1 pilot audits was horrendous – and every item began with the question: does the organization have policies and procedures that address the given rule being examined.
The upcoming audits notwithstanding, its never too late to assess your ability to comply with the HIPAA Privacy, Security and Breach Rules. You can do it internally, or get help from an outside consultant.
What is certain is that getting into an enforcement action because you have a privacy or security breach will be more involved and expensive than any consultant, conducting HIPAA Phase 2 Audits. And then you will have to make time and budget dollars available!
Comments are closed.