The Department of Health and Human Services’ Office for Civil Rights (HHS and OCR) has announced its Phase 2 audit program. HHS auditors will concentrate on high-risk areas, eliminating on-site visits and potentially integrating the audits into OCR’s formal enforcement program.
Phase 2 audits will be conducted by OCR staff and will likely involve a different methodology than previous audits. Unlike the comprehensive Phase 1 audits, Phase 2 audits will be more narrowly focused. OCR intends to audit 350 covered entities and 50 business associates. Concentrating on compliance with requirements related to the notice of privacy practices and patient access to protected health information, the OCR will audit 100 covered entities on the Privacy Rule. For the first time, business associates are to be included in these audits. OCR will request a list of business associates from covered entities.
OCR has implied that the Phase 2 and future audits’ adverse findings could lead to civil monetary penalties or a resolution agreement. The estimated “Round 2” of Phase 2 audits and those conducted in 2016 and beyond, are likely to focus on device and media controls, transmission security, Privacy Rule safeguards, encryption and decryption, physical facility access controls, breach reports, and complaint processes. However, there may be a significant impact on how the audit program ties to enforcement because OCR leadership is likely to change soon.
OCR will audit 150 covered entities on security focusing on risk analysis and corresponding risk management. The OCR learned in Phase 1 that with no address confirmation, a hard copy audit notification can drag on indefinitely. In response, last year the OCR gathered information from more than 550 covered entities. Unlike Phase 1, for now OCR does not intend for Phase 2 audits to include on-site visits, but this is subject to review.
Prepare for Your Office for Civil Rights Phase 2 Audit
The best way to prepare for a HIPAA audit is to complete document your privacy and security strategy, using the Aegify documentation management system.
If HIPAA compliance auditors discover an organization cannot produce adequate documentation, logically they’ll suspect subpar compliance efforts. Healthcare organizations need the following documents ready:
- Security and privacy policies and procedures
- Risk assessment and corrective action plan
- Organizational chart outlining privacy and security responsibilities
- Technology inventory, including all security tools used
- Business associate agreements
- Incident response plan
- HIPAA compliance training materials
Click HERE to discover how Aegify prepares companies for their OCR Phase 2 audits.