Are You Ready for Phase 2 Audits?

Are You Ready for Phase 2 Audits?

Are You Ready for Phase 2 Audits?

With Phase 2 of the HIPAA Audit Program officially underway, the HHS Office for Civil Rights (OCR) is demonstrating its continued efforts to ensure that protected health information (PHI) is being properly safeguarded by covered entities and their business associates. Both ebtities and individuals can be held responsible. Ignorance, nor lack of  employer provided training, in an excuse.

Have all HIPAA compliance documentation is ready to go.

If selected for audit, documentation will be need to be submitted electronically within 10 days. This includes items such as:

  • HIPAA Privacy, Security and Breach Notification Policies and Procedures
  • HIPAA annual training logs/certificates for employees
  • Business Associate Agreements
  • Documentation of a risk analysis and how identified risks have been mitigated
  • Notice of Privacy Practices
  • Lists of any unauthorized uses and disclosures of PHI, including breach notification letters for any confirmed breaches

Performing a risk analysis is a necessity

Every organization that handles PHI should incorporate a thorough risk analysis to determine any potential risks to PHI and assess its current security measures. This process should be ongoing and appropriately documented.

The OCR has made its Audit Protocol readily available for review

The OCR is being very transparent regarding which requirements will be assessed during Phase 2 audits.  Covered entities and their business associates can access this information on the HHS website. By reviewing this protocol, organizations can further determine their readiness and correct any areas of deficiency.

Be sure to fill out the OCR contact letter and questionnaire

The OCR will be sending an email to verify organization’s contact information, followed by a questionnaire to collect information regarding the organization’s size, type of operation, and list of business associates. Receiving this contact letter and questionnaire does not mean that the organization will be audited, however.  Those audited will be selected via a random sampling.

The OCR recommends that all covered entities and business associates check their spam or junk folders to ensure that this email is not missed.