The Office of Civil Rights (OCR) started phase 2 of the HIPAA audit program on March 21, 2016. Phase 2 will primarily be desk audits but depending on what they find, there will be some on-site audits as well.
The OCR has begun sending pre-audit questionnaires to health entities of all sizes. Recipients of these questionnaires are randomly selected, and those responding are being asked to provide information that will reveal their size and revenue. Not everyone receiving the questionnaire will be audited. A list of desk audits will be created using the results from the questionnaires. The plan is to complete the desk audits by December 2016.
They appear to be focusing on the deficiencies that were uncovered during their Phase 1 audits. These areas include failure to conduct periodic security risk assessments, missing and outdated privacy and security policies, and not having adequate HIPAA training. Phase 2 audits will also include both covered entities and business associates. Those responding to the pre-audit questionnaire will be asked to list all of their business associates.
During the Phase 1 audits, Security Rule violations were what the OCR found as their largest issue. It is anticipated that Security Rule compliance will be the primary focus of the OCR Phase 2 audits. It appears as though the Phase 1 audits were designed to help entities work on HIPAA compliance while the Phase 2 audits will have real financial penalties. In other words, the Phase 2 audits should be considered more serious.
We should all have a solid HIPAA compliance program in place, and now seems like the time to assess these programs for thoroughness. A good place to start would be updating security and privacy policies and making sure there is a good training program in place. There should also be an assigned privacy/security officer. Creating a HIPAA audit team, including IT, can help strengthen control of PHI.
Remember: if you receive a HIPAA audit request you will have 10 days to respond.
No related posts.