Almost two years have passed since the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) first announced that Phase 2 HIPAA audits would be happening.
For those who have been selected as part of the audit process, the wait is almost over. It is vital to understand the purpose of the Phase 2 audits, how they differ with respect to the Phase 1 (pilot) audits, and what key steps your practice should be taking in way of preparation.
Unlike the Phase 1 audits that were completed in 2011 and 2012, which focused solely on covered entities, the Phase 2 audits will also assess the business associates of those covered entities. HIPAA defines a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity”; these include—but are not limited to—accountants, health plan providers, and medical supply companies.
Furthermore, the Phase 2 audits will focus largely on the high-risk problem areas identified by the Phase 1 audits, which include the following:
- Risk analysis and risk management
- Content and timelines of breach notifications
- Notice of privacy practices
- Individual access
- Privacy standards reasonable safeguards requirement
- Training on HIPAA policies and breach notification procedures
- Device and media controls
- PHI transmission security
Preparing for examination
If you are one of the 224 covered entities who have been selected as part of the Phase 2 audits, here are five things you can do to prepare.
1. Compile details of your organization’s HIPAA compliance program.
It is essential that your organization maintains and operates a comprehensive HIPAA compliance program that addresses the HIPAA privacy, security, and breach notification rules. HIPAA compliance should not be a one-time project, and the OCR will be looking for evidence of an ongoing compliance program, including proof that policies are reviewed periodically, by way of dated documentation.
2. Provide proof of a current risk assessment analysis.
Ensure a thorough security risk assessment is undertaken by your organization and that a risk management plan exists, including details regarding any security deficiencies, ranked in order of priority. HHS states: “The administrative safeguard provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes.”
And: “Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.” If you need help conducting a risk assessment, the Office of the National Coordinator (ONC) for Health Information Technology, in collaboration with the OCR and the HHS Office of the General Counsel (OGC) has developed a tool to help guide you through the process.1
3. Make a list of all business associates.
It should be expected that the OCR will request a list of all business associates, and their corresponding signed agreements. So you should have this information, as well as the services they provide and their contact information, documented in advance.
4. Train your staff on their responsibilities.
HIPAA compliance starts with people: Your organization should operate and document a robust training policy that aims at educating all staff members on the HIPAA security and privacy rules, as well as the procedures they should follow in event of a potential data breach.
In addition to having your staff trained, you should appoint someone within the organization whose responsibility it is to collect all necessary documentation and act as the primary point of contact for the OCR. Entities selected for auditing will have just two weeks to respond to the OCR’s request, so it is crucial that the response lands on the right person’s desk and it is acted upon immediately.
5. Provide exact documentation.
The Phase 2 audits will primarily be “desk audits” that focus on documents only, meaning there will be no room for verbal clarification. This makes the need for proper documentation particularly important. Once documents are submitted to the OCR, there is no going back; anything that is put forward must comprehensively demonstrate your organization’s commitment to HIPAA compliance per the audit requirements.
Conversely, you should avoid oversharing any documentation that hasn’t specifically been requested. Any issues identified in extraneous documentation will also be noted and acted upon, so by providing more information than requested you could be putting your organization under unnecessary scrutiny.
The danger of noncompliance
The implications of failing an audit are one thing, but the real-world consequences associated with noncompliance can be far more significant. A data breach can result in civil penalties, which are enforced by the OCR and vary from $100 to $1.5 million, as well as criminal penalties, which are enforced by the U.S. Department of Justice and can, in severe cases, lead to imprisonment.
There are also reputational consequences to consider; how might a data breach at your organization affect business if it went public? These are worrying thoughts, but serve as a stark reminder of just how crucial it is to ensure your organization is HIPAA compliant.
Findings from the Phase 1 audits pointed to the HIPAA Security Rule as the biggest problem area, and in most cases, this was due to the entity being unaware of the requirements surrounding this rule.2 The bottom line is: Ignorance of the law is not a viable defense, so in order to ensure a successful audit and ultimately minimize the risk of a data breach within your organization, ensure you have a solid understanding of the HIPAA rules.
Gene Fry has been the compliance officer and vice president of technology at Scrypt since 2001 and has 25 years of IT experience working in industries such as healthcare and for companies in the U.S. and abroad. He is a Certified HIPAA Professional (CHP) through the Management and Strategy Institute, and he is certified in HIPAA privacy and security. He can be contacted through scrypt.com.
1 Health IT.gov. “Security Risk Assessment.” https://www.healthit.gov/providers- professionals/security-risk-assessment-tool. Updated June 2015. Accessed July 2016.
2 HHS.gov. “The Security Rule.” http://www.hhs. gov/hipaa/for-professionals/security/index.html. Updated July 2016. Accessed July 2016.