Almost two years have passed since the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced that Phase 2 HIPAA audits would happen.
For those who have been selected as part of the audit process, the wait is almost over. This article sets out to explain the purpose of the Phase 2 audits, how they differ to the Phase 1 (pilot) audits, and outline some of the key steps organizations should take to prepare.
Meet Phase 2
Unlike the Phase 1 audits, which focused solely on covered entities and were completed in 2011 and 2012, the Phase 2 audits will also assess the business associates of those covered entities. HIPAA defines a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” This includes, but is not limited to, accountants, health plan providers, and medical supply companies.
Furthermore, the Phase 2 audits will focus largely on the high-risk problem areas identified in the Phase 1 audits, which include the following:
- Risk analysis and risk management
- Content and timelines of breach notifications
- Notice of privacy practices
- Individual access
- Reasonable and appropriate privacy safeguards requirements
- Training on HIPAA policies and breach notification procedures
- Device and media controls
- Transmission security
- Preparing for an audit
Here are five things you can do to prepare if you are one of the 224 covered entities selected as part of the Phase 2 audits.
1. Compile details of your HIPAA compliance program
It is essential that your organization maintain and operate a comprehensive HIPAA compliance program that addresses the HIPAA privacy, security, and breach notification rules. HIPAA compliance should not be a one-time project, and therefore OCR will be looking for evidence of an ongoing HIPAA compliance program, including proof that policies are reviewed periodically, in the way of dated documentation.
2. Provide proof of current risk
Ensure that your organization undertakes a thorough security risk assessment, which HHS requires, and that a risk management plan exists, including details of any security deficiencies that are ranked in order of priority. Pay special attention to your handling of electronic protected health information (e-PHI).
This kind of risk management and analysis should be an ongoing process. HHS recommends that a covered organization regularly “reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.”
If you need help conducting a risk assessment, The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the OCR and the HHS Office of the General Counsel (OGC) have developed a tool to help guide you through the process. This can be found at healthit.gov/providers-professionals/ security-risk-assessment-tool.
3. Make a list of business
It is expected that OCR will request a list of all business associates, and their corresponding signed agreement. So, you should have this information, as well as the services they provide, and their contact information, documented in advance.
4. Staff training and responsibilities
HIPAA compliance starts with people.
Your organization should operate and document a robust training policy that sets out to educate all members of staff on the HIPAA security and privacy rules, as well as the procedures they should follow in event of a potential data breach.
In addition to having staff trained, you should appoint someone within the organization whose responsibility is to collect all necessary documentation and act as the primary point of contact for OCR. Entities selected for auditing will have two weeks to respond to OCR’s request, so it is crucial that the response lands on the right person’s desk and is acted upon immediately.
5. Documentation is key
Because the Phase 2 audits will primarily be desk audits that focus on documents, there will be no room for verbal clarification. This makes the need for proper documentation particularly important. Once documents are submitted to OCR, there is no going back. Anything that is put forward must comprehensively demonstrate your organization’s commitment to HIPAA compliance as per the audit requirements.
Conversely, you should avoid oversharing any documentation that hasn’t specifically been requested.
Any issues identified within extraneous documentation will be noted and acted upon. And providing more information than requested by the auditors could put your practice under unnecessary scrutiny.
The risks of noncompliance
The implications of failing an audit are one thing, but the real-world issues associated with noncompliance can be far more significant. A data breach can result in civil penalties, which are enforced by OCR and vary from $100 to $1.5 million, as well as criminal penalties, which are enforced by the U.S. Department of Justice and can in severe cases lead to imprisonment.
There are also reputational consequences to consider; how might a data breach at your organization affect business if it went public? These are worrying thoughts, and stark reminders of just how crucial it is to ensure your organization is HIPAA compliant.
Findings from the Phase 1 audits pointed to the HIPAA Security Rule as the biggest problem area, and in most cases this was due to the entity being unaware of the requirements surrounding this rule.
The bottom line is that ignorance is not a viable defense. In order to ensure a successful audit, and ultimately minimize your risk of a data breach within your practice, ensure that you and your staff have a solid understanding of the HIPAA rules.
Gene Fry has been the compliance officer and vice president of technology at Scrypt since 2001. He has 25 years of IT experience working in various healthcare industries and for companies in the U.S. and abroad. He is a Certified HIPAA Professional (CHP) through the Management and Strategy Institute, and he is certified in HIPAA privacy and security. He can be contacted through scrypt.com.