In Phase 2 of audits planned to begin this fall, the OCR plans to conduct HIPAA compliance audits for about 350 covered entities that will focus on specific areas of HIPAA compliance, and 50 Business Associate audits that will focus on compliance with the risk analysis and breach notification requirements. Being a more streamlined process, organizations are to be given about two weeks to submit requested information to OCR, after being notified of an audit, and the importance of carefully following instructions when submitting documentation can’t be emphasized enough. Greene goes on to explain that as the OCR has indicated they are not looking to receive unrelated information, and presenting such information could possibly hurt someone’s chances in the audit. As the OCR only wants to see what it’s requesting, it is important to ensure that you do just that – nothing more, nothing less.

The Phase 2 of the HIPAA compliance audits are tied to potential enforcement action, like settlement agreements for HIPAA violations, and many organizations may find it difficult to respond to a request for information for an audit. Greene advises such organizations to consider bringing in outside counsel, particularly as an audit could run into a settlement action at a later point. It is also essential to ensure no unnecessary admissions during the audit process.

This phase of the HIPAA audits are unlike the comprehensive HIPAA compliance audits that were conducted earlier and will be just  “desk audits” performed remotely by staff of the Department of Health and Human Services’ Office for Civil Rights. It is imperative that your enterprise is more just prepared. Implementing a comprehensive security solutions such as Aegify Security Posture Management or Aegify SecureGRC can ensure that facilitate you are ready to face this round successfully. Aegify SecureGRC has built-in policies, procedures, and frameworks for HIPAA compliance, and can greatly simplify the process of compliance and dramatically improve the security posture of healthcare entities.

The post Gearing up for the Next Round of HIPAA Audits? Start by Getting Your Documentation in Place appeared first on Aegify.

According to a recent presentation at the Health Care Compliance Association Conference by Linda Sanches, OCR senior adviser for health information privacy, OCR auditors will assess compliance efforts through an updated protocol, and will include new criteria that reflect HIPAA Omnibus Rule changes and more specific test procedures.

Focus Areas

While the focus of Business Associate audits will be on HIPAA security risk analysis and risk management, the OCR’s audits for covered entities will focus on specific areas of HIPAA compliance. There is also likely to be another round of covered entity audits later in 2015 that will primarily focus on computing device and storage media security controls, transmission security, as well as HIPAA privacy rule safeguards, including workforce training, policies and procedures. Planning way ahead to 2016, the OCR intends for the HIPAA audits to include a focus on encryption and decryption, facility and physical access control, along with other areas of high-risk as identified by 2014 audits.

Who will be audited?

According to the recent presentation by Sanches, the OCR will conduct address verification with covered entities surveyed this spring, where entities will receive a link to an online screening “pre-survey” this summer, and out of the 550 to 800 covered entities contacted for the survey, OCR will select about 350 to audit. While selected covered entities will be receiving audit notification and data requests in fall 2014, they would be asked to identify their business associates and provide those vendors’ current contact information. OCR will then select business associate audit subjects for 2015 from among the BAs identified by covered entities.

The effectiveness of the new approach

Phase 2 of the HIPAA audit program has generated mixed opinions, with one security expert believing that it will help spur compliance, and another expert wondering if there will actually be a boost in compliance, considering the OCR’s approach to selecting candidates and questions.

David Holtzman, vice president of privacy and security compliance services at security consulting firm CynergisTek, and former senior advisor at OCR, believes that phase two of the OCR audit program can have a significant impact on covered entity’s and business associates’ compliance activities. Despite the OCR conducting a limited number of audits this time around, the possible influence of those activities is nonetheless great. Increasing the visibility of compliance with the HIPAA rules, the impact of the OCR audit program across all healthcare providers and organizations is greater than before.

As always, failing to have safeguards in place to protect health information will result in serious consequences – reputational and financial. The time is right for healthcare entities to evaluate their security and compliance stance and thoroughly prepare themselves. Comprehensive security management solutions like Aegify Security Posture Management and Aegify SecureGRC can prove handy at this stage, and help entities fearlessly deal with the upcoming audits with confidence.

The post Unraveling the Details of Second Round of HIPAA Audits appeared first on Aegify.