IT Practice Consulting – Health IT Report – May 2016
“Phase 2 of the HIPAA Audit Program – FAQs and Preparing Your Practice”
Introduction:
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced its launch of HIPAA’s Audit Program Phase Two. Originating as a requirement of the Health Information Technology for Economic and Clinical Health Act (HITECH), HIPAA’s Audit Program initiated periodic audits of covered business entities and associates’ compliances with the HIPAA Privacy, Security, and Breach Notification Rules. Phase 1 ran from 2011 to 2012, employing a pilot audit program to evaluate privacy controls implemented by 115 covered business entities, as well as their subsequent levels of compliance with HIPAA’s requirements. Starting in 2016, Phase 2 will cast a wider net over covered practices, applying verified audit tools that emerged from Phase 1’s pilot programs. The U.S. Department of Health confirms: “these tools enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).” Fortunately, preparing your business for Phase 2 is as easy as educating your employees on HIPAA’s audit procedures and staying informed.
Read More from the Department of Health and Human Services:
OCR Launches Phase 2 of HIPAA Audit Program
Who Will Be Audited?
Any covered practice, medical entity, or collaborative business associates may be audited. The OCR intends to select a wide range of potential audits, based primarily on a business’ size, type, and scope of operations. Only entities currently undergoing complaint investigations or compliance reviews will be removed from the selection process.
How Will the Audits Work?
The OCR plans to conduct both desk and on-site audits during the implementation of Phase 2 and has asked for every business’ full cooperation and support with the ongoing audits. Desk audits will initially be performed for medical entities, with a second round of desk audits later applied to collaborative associates. The Phase 2 timeline expects these desk audits to be completed by December 2016. However, certain businesses will then be selected for a third round of audit procedures, including on-site personnel and documentation review. Finally, auditors will develop reports and draft conclusions; business entities can respond to the aforementioned findings and any written responses will be included in the final audit reports.
How Do I Prepare My Practice for Phase 2?
Independent practices and business associates alike can prepare for Phase 2 audits by fully participating in HIPAA’s selection process. According to the Department of Health and Human Services (HHS), an email will be sent to covered entities requesting verification of a business’ most recent street address and contact information. Businesses are urged to frequently check spam inboxes for this email, as virus filters may incorrectly flag the OCR’s email. After receiving a response, the OCR will then email a pre-audit questionnaire; this form seeks to gain information concerning an entity’s size, type, and scope of operations. The HHS stresses that “an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review” and, therefore, strongly suggests completion of both forms. After response, an entity should monitor their email and calls for further information about the HIPAA Audit Program; the OCR assures business entities that transparency is a significant portion of these audits and it intends to “post updated audit protocols on its website closer to conducting the 2016 audits.”
Read More from the Department of Health and Human Services:
FAQs about HIPAA’s 2016 Audit Program
Final Thoughts
HIPAA’s Audit Program proposes quick, efficient procedures for all covered entities, but Phase 2 preparedness is integral to full cooperation and positive results. If you have any concerns about your practice’s compliance with HIPAA Privacy, Security, and Breach Notification Rules, talk to an expert today about pre-audit reviews. The New York e-Health Collaborative (NYec) strives to empower medical practices state-wide by supporting businesses through the implementation and success of Health IT programs, including information privacy. Teaming together with IT Practice Consulting, the NYeC can ensure your practice’s preparation for Phase 2 of HIPAA’s 2016 Audit Programs.
Contact IT Practice Consulting today to start your pre-audit review.