The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun “Phase 2” of its ongoing efforts to assess compliance with the Health Insurance Portability and Accountability Act Privacy, Security, and Breach Notification Rules (HIPAA Rules). The 2016 Phase 2 HIPAA Audit Program broadens audit coverage and includes changes in the audit approach. It is essential that healthcare organizations be prepared for these audits so that they can respond comprehensively to OCR requests within the 10-day period allotted for organizational responses.
The Health Information Technology for Economic and Clinical Health Act (HITECH) requires OCR to conduct periodic audits of covered entity and business associate compliance with HIPAA Rules. In 2011 and 2012, OCR implemented a pilot audit program for selected covered entities. Based on experiences and results from that program, the more focused Phase 2 audit protocol was developed. Phase 2 will examine compliance not only by covered entities, but also by related business associates. In addition, there will be fewer in-person, on-site audits in Phase 2 than in the pilot program. Most audits will be conducted remotely as “desk audits,” but entities selected for an audit should be prepared for an in-person, on-site audit if OCR deems it appropriate.
The aggregated results are intended to enable OCR to better understand compliance efforts and challenges with particular aspects of the HIPAA Rules. Although the primary focus of the audits will be on compliance improvement, if an audit identifies a serious compliance issue, OCR may further investigate through a broader-scale compliance review.
Every covered entity and business associate is eligible for an audit. OCR has begun the process of verifying contact information of covered entities and business associates. The OCR site states that once contact information is verified, the OCR will send a pre-audit questionnaire to covered entities and business associates to gather “data about the size, type, and operations of potential auditees.” Next, the OCR will select a random sample of entities in the audit pool. Chosen entities will be sent an email notification of their selection and will be asked to provide documents and other data in response to a document request letter. Audited entities will be required to submit all requested documentation digitally using the OCR audit portal, and it must be submitted within 10 business days of the date on the information request.
Covered entities should proactively prepare for the possibility of being selected for a Phase 2 HIPAA compliance audit. At a minimum, organizations should conduct a self-assessment of compliance activities in relation to published HIPAA protocols. Following are other steps that can be taken to improve audit readiness:
Is your organization prepared for a Phase 2 HIPAA audit?
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.
The personnel of SDGblue have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides SDGblue clients access to a broader range of products, services, and solutions, while expanding the Crowe cybersecurity risk management capabilities with a deeply specialized team.
Looking for the Client Login?
Access the SDGblue Client Portal
As of Oct. 30, 2017, the professionals of Rowbotham International have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on domestic and international tax and audit compliance services, as well as advisory services.