In 2011 and 2012, the HHS Office for Civil Rights (OCR) established an audit program to assess the controls and processes covered entities have implemented to comply with the HIPAA Privacy, Security and Breach Notification Rules. Phase 2 of the Audit Program has been looming for some time now, with continued delays. The latest news is that Phase 2 of the audits will now be done starting in 2015. The latest delay accounts for an upgrade in technology by the OCR to collect and analyze audit data.
Phase 2 of the Audit Program, which affects covered entities as well as business associates, is not being done in person and relies heavily on meticulous record keeping. Entities will only have two weeks to respond to a data request. Failure to provide accurate information may lead to a full compliance review and enforcement action.
Phase 2 of the HIPAA Audits will look at high risk identified in Phase 1 of the audit program. The first phase of the program identified that two-thirds of entities lack a complete or accurate risk assessment and that the Security Rule provisions accounted for the majority of findings and observations. It is likely these areas will have extra focus in Phase 2.
According to data shared on the Privacy & Security Law Blog by Anna C. Watterson, 56% of healthcare organizations audited in Phase 1 became aware of additional HIPAA requirements as a direct result of being audited. Being prepared before an audit begins can go a long way to helping organizations ease the process of the audit and avoid unnecessary fines. Of course, these same precautions are really designed to help prevent costly data breaches.
For more on the current state of HIPAA and how it impacts healthcare organizations, we offer the following resources: