Insights: Article

Is Your Organization Ready for HIPAA Phase 2 Audits?

By Jon Ault

May 24, 2016

Health care technology continues to expand and advance, and with that comes an increased risk of consumer privacy breaches. The HHS Office of Civil Rights (OCR) enforces the rules related to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). The OCR established a pilot auditing program in 2011.

In Phase 1 of the audit program, the OCR evaluated covered entities' HIPAA controls and processes surrounding Privacy, Security and Breach Notifications. The OCR then developed a protocol of reviewThis link takes you to an external website. that was used to assess 115 covered entities.

Phase 2
Moving forward with Phase 2 of the audit program, which began in March, the OCR will be requesting information to validate the covered entities' organizational contact information. Once this is completed, the OCR will randomly request the completion of a pre-audit questionnaire. Failure to respond to the request will not exclude you from a possible audit, and your organization runs the risk of the OCR having incorrect contact information.

Organizations who are randomly selected for a Phase 2 audit will receive both an email and a letter requesting documents. The expectation is for the organization to respond within 10 days from the date of the letter.

As part of the Phase 2 audits, covered entities will also be requested to reveal listing and contact information about their business associate agreements. Additionally, the OCR will be evaluating business associates for their HIPAA practices. Both desk audits and onsite audits will be conducted.

The first round will be concentrated on the covered entities. The second round will include the business associates. The goals of the audits are to evaluate HIPAA compliance, drive best practices, and identify risk vulnerabilities based on process reviews and complaint investigations.

Results of the draft audits will be shared with the organizations.

Next Steps

  1. Does your organization have HIPAA policies and procedures?
  2. Are your HIPAA policies and procedures compliant with current regulations?
  3. Do you have a business associates agreement with people who view protected health information?
  4. Are your business associate agreements current?

Latest Insights

November 16, 2018
If your business sells or operates in more than one state, it’s important to understand the concept of nexus. Depending on how you’re earning revenue, having nexus could impose a variety of taxes, which vary state to state. Learn more in our…
November 15, 2018
Until recently, many businesses weren’t overly concerned about sales tax. They knew they needed to collect and remit in the state in which they resided, but beyond that, their compliance burden was limited.
November 12, 2018
This insight explores what dealerships can expect from the proposed section 199A regulations under tax reform.
November 8, 2018
Are you a business taxpayer with annual gross receipts of $25 Million or less? If so, you may be eligible to take advantage of new Small Taxpayer Safe Harbors that could generate significant tax savings and simplify your tax returns in future years!
November 8, 2018
Considered the most significant tax code overhaul in over three decades, the Tax Cuts and Jobs Act passed in 2017 includes provisions affecting both individuals and businesses.
November 7, 2018
Recorded Webinar
State and local sales tax compliance is always evolving, making it important to stay up-to-date on changes affecting your tax liability and responsibilities. This session will cover what you need to know regarding the recently enacted state and…
November 7, 2018
“Why is my portfolio underperforming the market?” This question may be on your mind.
November 5, 2018
Identify your implementation methodology. There are four practical expedients available. We'll explore each option.
November 5, 2018
Deeper dive into ASU 2016 liquidity.