Menu
   
Close
Click here to open global search
Print
Insights: Article

Is Your Organization Ready for HIPAA Phase 2 Audits?

By Jon Ault

May 24, 2016

Health care technology continues to expand and advance, and with that comes an increased risk of consumer privacy breaches. The HHS Office of Civil Rights (OCR) enforces the rules related to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). The OCR established a pilot auditing program in 2011.

In Phase 1 of the audit program, the OCR evaluated covered entities' HIPAA controls and processes surrounding Privacy, Security and Breach Notifications. The OCR then developed a protocol of reviewThis link takes you to an external website. that was used to assess 115 covered entities.

Phase 2
Moving forward with Phase 2 of the audit program, which began in March, the OCR will be requesting information to validate the covered entities' organizational contact information. Once this is completed, the OCR will randomly request the completion of a pre-audit questionnaire. Failure to respond to the request will not exclude you from a possible audit, and your organization runs the risk of the OCR having incorrect contact information.

Organizations who are randomly selected for a Phase 2 audit will receive both an email and a letter requesting documents. The expectation is for the organization to respond within 10 days from the date of the letter.

As part of the Phase 2 audits, covered entities will also be requested to reveal listing and contact information about their business associate agreements. Additionally, the OCR will be evaluating business associates for their HIPAA practices. Both desk audits and onsite audits will be conducted.

The first round will be concentrated on the covered entities. The second round will include the business associates. The goals of the audits are to evaluate HIPAA compliance, drive best practices, and identify risk vulnerabilities based on process reviews and complaint investigations.

Results of the draft audits will be shared with the organizations.

Next Steps

  1. Does your organization have HIPAA policies and procedures?
  2. Are your HIPAA policies and procedures compliant with current regulations?
  3. Do you have a business associates agreement with people who view protected health information?
  4. Are your business associate agreements current?

Related Insights

Related Solutions

Latest Insights

January 15, 2019
Article
Navigating the New Tariff World
The back and forth on tariffs is wreaking havoc for many businesses. Here’s what you can do to help ease the pain.
January 15, 2019
Article
Special Information Needed From Farmers With 2018 Sales to Cooperatives
If you are a farmer who sold to a cooperative in 2018, you will need to provide additional information if you’re looking to take advantage of deductions this tax season.
January 14, 2019
Article
Proposed ASU Extends Private Company Alternatives on Goodwill and Certain Identifiable Intangible Assets to Nonprofits
A proposed Accounting Standards Update may make some simplifying accounting alternatives available to nonprofits.
January 11, 2019
Article
Economic Update - January 2019
Equity and commodity markets experience major losses, the Fed sends a hawkish message, home sales improve, and the economy maintains its momentum.
January 11, 2019
Article
Tips for CECL Preparation
Many financial institutions are starting the process for implementing the Current Expected Credit Loss model (CECL). Here are some helpful tips to consider as you begin your implementation.
January 11, 2019
Article
The Risks of Employee Emails and Social Media
Is a social media account, such as LinkedIn, a personal account? Does your financial institution’s Acceptable Use policy address the use of social media for work-related business?
View More Insights View More Insights