A quick glance at what the Phase 2 audit program entails

With the Phase 2 audits being conducted chiefly by OCR staff, this is likely to involve a slightly different methodology than previous audits. Unlike the comprehensive Phase 1 audits, Phase 2 audits are likely to be more narrowly focused. The OCR intends to audit 350 covered entities and 50 business associates. Concentrating on the compliance with requirements related to the notice of privacy practices and patient access to protected health information, the OCR will audit 100 covered entities on the Privacy Rule, and for the first time, business associates are to be included in these audits. OCR will request a list of business associates from covered entities.

The OCR has implied that the Phase 2 and future audits’ adverse findings could lead to civil monetary penalties or a resolution agreement. The estimated “Round 2” of Phase 2 audits and those conducted in 2016 and beyond, are likely to focus on device and media controls, transmission security, Privacy Rule safeguards, encryption and decryption, physical facility access controls, breach reports, and complaint processes. However, there may be a significant impact on how the audit program ties to enforcement, keeping in mind that the OCR leadership is likely to change soon.

Some of the differences

This time the OCR will audit 150 covered entities on security focusing on risk analysis and a corresponding risk management plan. The OCR learned in Phase 1 that with no address confirmation, a hard copy audit notification can take forever. This is why in summer 2014, the OCR is most likely to gather pertinent details from 550 to 800 covered entities to get hold of information required for choosing a suitable sample. Following this, the OCR will follow up in fall 2014 with notifications and data requests to 350 covered entities. Taking into consideration the deficiencies identified in Phase 1, most of the Phase 2 topics are to be based on the same. Also unlike Phase 1, OCR does not intend for Phase 2 audits to include on-site visits. It may however return to on-site audits in the future, in case of availability of additional funds.

Here’s how to prepare for the Phase 2 audits

All covered entities and business associates can keep in mind the following tips while preparing for the next round of audits.

• Besides having an effective risk analysis, make certain your risk analysis detects & categorizes risks instead of simply documenting that controls are in place or recording the gaps in compliance with the Security Rule.
• It is essential that all  policies need to be up to date, especially in case of:
  • Breach notification, risk analysis, and risk management (for both covered entities and business associates)
  • Notice of privacy practices and patient/enrollee access (only for covered entities)
• Make sure that all additional documentation associated to the above topics are easily accessible and clear in :
  • Breach investigations and risk assessments, risk analyses, and risk management plans (for both covered entities and business associates)
  • Responses to patient requests (for covered entities only)
• In the event of no patient acknowledgment, documentation supporting the reason why an acknowledgement was not obtained requires to be collected. It is important to know how to gather documentation of patient acknowledgments of receipt of the notice of privacy practices.
• Keep an up to date record of business associates with relevant contact information (only applicable to covered entities).

It is a known fact that all health information must be viewed and safeguarded just like any other business asset. Healthcare entities need to conduct a reality check and prepare themselves with thorough risk assessments. Every covered entity needs to clearly understand the privacy and security rules and take a realistic approach to identify potential threats and vulnerabilities in their systems that could put the confidentiality, integrity and availability of health information at risk. Implementing comprehensive security management solutions like Aegify Security Posture Management and Aegify SecureGRC can prove handy at this juncture, and help entities face the upcoming audits with confidence.

The post Preparing for OCR Audits May Not be the same –A Few Tips to see you through appeared first on Aegify.