What to expect from Phase 2 HIPAA audits

Posted: Sep 16, 2014
Share This:

Last week we summarized 5 lessons from the 2012 HIPAA audits after around 150 covered entities (CEs) were assessed by the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR). In a bid to establish compliance with the HITECH Act, the audits were just one part of the ongoing evaluation by HHS and OCR to ensure all Protected Health Information (PHI) remains secure. In February this year OCR announced in the Federal Register that Phase 2 HIPAA audits would commence in fall 2014.

What’s changed?

The 2012 audits primarily focused on the compliance of CEs, however, as outlined in the Federal Register,’OCR is mandated to conduct periodic audits to assess the compliance of covered entities and business associates with the HIPAA Privacy, Security, and Breach Notification Rules’. Moving forwards OCR will survey both CEs and Business Associates (BAs) to determine who will qualify for Phase 2 HIPAA audits.

Concentrating on BAs as part of the HIPAA audits is a natural move by OCR as BAs, under the HIPAA Omnibus, are also responsible for HIPAA compliance. With enforcement penalties ranging up to $1.5 million per HIPAA violation for BAs it’s no wonder OCR is keeping a close eye on privacy, security and breach notification standards.

The pilot audits in 2012 revealed that non-compliance in the majority of cases was a result of not meeting fundamental HIPAA standards around one or more the following key areas:

  • Risk analysis and risk management
  • Content and timeliness of breach notifications
  • Notice of privacy practices
  • Individual access
  • Privacy Standards’ reasonable safeguards requirement
  • Training to policies and procedures
  • Device and media controls
  • Transmission security

As a result of the above, the Phase 2 HIPAA audits are likely to predominantly focus on risk analysis and risk management, as well as breach notification procedures.

CEs and BAs are being urged to ensure that all procedures and processes are well documented as, unlike the 2012 audits, inspections will not take place onsite but rather via submitted reports.

Who will be affected?

As per the pilot audit, healthcare providers, healthplans and healthcare clearinghouses will face review. Between 550-800 CEs, and their associated BAs, will have been chosen at random via the National Provider Identifier database and America’s Health Insurance Plans’ databases. OCR will then select approx. 350 CEs/BAs for Phase 2 audits based on responses to a mandated pre-audit screening survey.

The audits are due to start next month and continue into June 2015, those that fail to meet the strict HIPAA standards will face further scrutiny via a full compliance review.

At Sfax we’re proud to be fully HIPAA-compliant, if you have any concerns about the storage and transfer of PHI and other sensitive data within your organization find out more about how we can help you here.