HIPAA Phase 2 Audits Begin

By: Arieanna Schweber | 4/26/2016

Healthcare organizations are facing steep regulatory pressure this year. Earlier, we discussed how the resolution agreements over HIPAA violations settled by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), settled between two organizations for $5.4 million, pointed toward steady increase in resolutions expected for this year. This past month, the OCR also announced that the long-awaited Phase 2 HIPAA Audits are now under way.

Phase 2 of audits for covered entities and business associates help the OCR proactively uncover and address risks and vulnerabilities to PHI, hopefully before these risks translate into a data breach. Phase 2 Audits are primarily desk audits, with some on-site audits. A randomly-selected group of respondents is being sent a pre-audit questionnaire, from which organizations will be chosen for the full audit, to be completed by December of this year.

Phase 2 audits will focus on the top deficiencies identified in Phase 1, including failure to conduct periodic risk assessments, missing / outdated / inadequate privacy or security policies and controls, or inadequate employee training. Unlike Phase 1 audits, Phase 2 audits that identify failures in HIPAA-compliance come with real financial consequences. 

There are many pieces of advice that can help you focus your compliance efforts. For example, looking historically at healthcare data breaches and past audit results, ModernMedicine Network offers these 10 ways to prepare for Phase 2 audits:

  1. Update your privacy policies, including those that cover business associate relationships
  2. Review access protocols (who can access PHI, how it can  be accessed and moved)
  3. Understand the rules for oral communications
  4. Hire security and privacy officers, internally or through a contractor
  5. Review your endpoint security protocols, with encryption as a bare minimum
  6. Review email and text messaging policies
  7. Ensure security risk assessments are completely annually
  8. Ensure the notice of privacy practices (NPP) is clear and accurate
  9. Have a procedure in place to deal with complaints of privacy violations
  10. Know and understand how your organization could be impacted by other regulators, particularly at the State-law level

HIPAA regulations have continued to challenge healthcare organizations across the country, exposing major cracks in the foundation of healthcare data security processes. Healthcare organizations have the greatest number of data security challenges of any industry, as the top target for cyber attacks with highly complicated healthcare networks, a growing amount of electronic healthcare records and an increasingly mobile workforce. Security, in turn, must be a dynamic process, with layers of defense going up in relation to the changing risk patterns.

Absolute Data & Device Security (DDS) for Healthcare, helps you identify potential security threats and respond rapidly before they become damaging security incidents. Tailored specifically for healthcare organizations, Absolute DDS provides a full complement of features and remote capabilities so that you can control and secure healthcare data and devices, maintain the trust of your patients and stakeholders, and protect your organization from financial penalties. Learn more about our healthcare solutions here.

Financial Services