1006The U.S. Depart­ment of Health and Human Ser­vices’ (HHS) Office for Civ­il Rights (OCR) began a pilot pro­gram in 2012 to assess the pro­ce­dures imple­ment­ed by cov­ered enti­ties to ensure com­pli­ance with the Health Insur­ance Porta­bil­i­ty and Account­abil­i­ty Act (HIPAA). OCR eval­u­at­ed the effec­tive­ness of the pilot pro­gram and then announced Phase 2 of the pro­gram on March 21, 2016. Phase 2 Audits focus on the poli­cies and pro­ce­dures adopt­ed by both cov­ered enti­ties and busi­ness asso­ciates to ensure they meet select­ed stan­dards and imple­men­ta­tion spec­i­fi­ca­tions of the Pri­va­cy, Secu­ri­ty, and Breach Noti­fi­ca­tion Rules. Cov­ered enti­ties include health plans, health care clear­ing­hous­es, and health care providers; where­as, busi­ness asso­ciates include any­one han­dling health infor­ma­tion on behalf of a cov­ered entity.

Phase 2 Audits of busi­ness asso­ciates focus on risk analy­sis, risk man­age­ment, and report­ing of HIPAA breach­es to cov­ered enti­ties. OCR empha­sizes the impor­tance of audits as a com­pli­ance improve­ment activ­i­ty in order to iden­ti­fy best prac­tices and proac­tive­ly uncov­er and address risks and vul­ner­a­bil­i­ties to pro­tect health infor­ma­tion (PHI).

OCR chose enti­ties to audit through ran­dom sam­pling of the audit pool. Com­mu­ni­ca­tions from OCR were sent via email, so it is impor­tant to check spam fil­ters and junk emails for com­mu­ni­ca­tions from [email protected] OCR emailed a notice to ver­i­fy con­tact infor­ma­tion. Once the con­tact infor­ma­tion was ver­i­fied, OCR emailed a pre-audit ques­tion­naire to gath­er data about size, type, and oper­a­tions of the enti­ty. This data was used with oth­er infor­ma­tion to devel­op pools of poten­tial cov­ered enti­ties for mak­ing audit selections.

Phase 2 Audits con­sist of three sets of audits. The first set of audits will be desk audits of cov­ered enti­ties and the sec­ond set of audits will be desk audits of busi­ness asso­ciates. These audits will exam­ine com­pli­ance with spe­cif­ic require­ments of the Pri­va­cy, Secu­ri­ty, or Breach Noti­fi­ca­tion Rules and cov­ered enti­ties will be noti­fied of their audit in a doc­u­ment request let­ter. All desk audits in this phase will be com­plet­ed by the end of Decem­ber 2016. OCR will select enti­ties and request they elec­tron­i­cal­ly sub­mit doc­u­men­ta­tion with­in 10 days. The third set of audits will be onsite and exam­ine a broad­er scope of require­ments from HIPAA Rules.

On July 11, 2016, 167 cov­ered enti­ties were noti­fied that they were select­ed for a desk audit. Desk audits of busi­ness asso­ciates will begin this fall. Down­load the com­plete Com­pli­ance Advi­sor, “HIPPA Phase 2 Audits” for best prac­tices for cov­ered enti­ties fac­ing desk or field audits.

Orig­i­nal­ly pub­lished by Unit­ed Ben­e­fit Advi­sors — Read More