Just like Paul Revere on his midnight ride, we’re here to warn you of the dangers ahead, and keep you as informed as we can about the forthcoming updates coming out of OCR.
When the Phase Two audits were first announced in October of 2015, speculation about the exact nature of the program began to run rampant. However, with this new guidance from OCR, the criteria and the content of the audits have become clear. These Phase 2 audits are only a precursor to the permanent audit program that OCR is planning to release within the coming years. Understanding what’s required of you now is a proactive step that you can take to keep your organization out of the headlines in the future, and maintain the integrity of your reputation.
What Are They Looking For?
In OCR’s announcement on the HHS Health Information Privacy website, they said that “The 2016 Phase 2 HIPAA Audit Program will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”
The HITECH Act, which was passed in 2009, made provisions for OCR to routinely audit CEs and BAs for compliance with the Privacy, Security, and Breach Notification Rules. Each of these rules have been enforced with increasing frequency over the past year, and now it seems that OCR Director, Jocelyn Samuels is taking that enforcement one step further.
The Phase 1 audits were carried out in 2011 and 2012, however they only targeted CEs. The results of Phase 1 showed a shocking pattern of non-compliance, with only 11% of audits reporting no findings–meaning that only 11% of the Covered Entities that were audited showed no deficiencies in their compliance.
Understanding what’s required of your organization under the Privacy, Security, and Breach Notification Rules should be a priority among potential auditees. However, users of The Guard™ can rest easy knowing that all of the necessary policies and procedures outlined by these HIPAA Rules are built into our solution. If you’ve done your due diligence and made progress with your compliance implementation, you should be well on your way to understanding what’s required of you.
Who’s Going to be Audited This Time?
OCR has included explicit provisions in their Phase 2 audits to include both CEs and BAs in their program this time around, saying that “every covered entity and business associate is eligible for an audit.”
OCR is looking to identify CEs and BAs that vary in size, operation, and location. OCR will look at a wide range of potential auditees to attain a broad analysis of HIPAA compliance across the healthcare industry. However, if an organization has an ongoing complaint that is being investigated by OCR, they will not be eligible for a Phase 2 audit.
Two hundred CEs and BAs in total are set to be audited during this initial round of desk-only audits. If a CE or BA is chosen to be a part of the group of potential auditees, they can expect the process to follow a fairly simple route, outlined below: