Insights: Article

Is Your Organization Ready for HIPAA Phase 2 Audits?

By   Jon Ault

May 24, 2016

Health care technology continues to expand and advance, and with that comes an increased risk of consumer privacy breaches. The HHS Office of Civil Rights (OCR) enforces the rules related to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). The OCR established a pilot auditing program in 2011.

In Phase 1 of the audit program, the OCR evaluated covered entities' HIPAA controls and processes surrounding Privacy, Security and Breach Notifications. The OCR then developed a protocol of reviewThis link takes you to an external website. that was used to assess 115 covered entities.

Phase 2
Moving forward with Phase 2 of the audit program, which began in March, the OCR will be requesting information to validate the covered entities' organizational contact information. Once this is completed, the OCR will randomly request the completion of a pre-audit questionnaire. Failure to respond to the request will not exclude you from a possible audit, and your organization runs the risk of the OCR having incorrect contact information.

Organizations who are randomly selected for a Phase 2 audit will receive both an email and a letter requesting documents. The expectation is for the organization to respond within 10 days from the date of the letter.

As part of the Phase 2 audits, covered entities will also be requested to reveal listing and contact information about their business associate agreements. Additionally, the OCR will be evaluating business associates for their HIPAA practices. Both desk audits and onsite audits will be conducted.

The first round will be concentrated on the covered entities. The second round will include the business associates. The goals of the audits are to evaluate HIPAA compliance, drive best practices, and identify risk vulnerabilities based on process reviews and complaint investigations.

Results of the draft audits will be shared with the organizations.

Next Steps

  1. Does your organization have HIPAA policies and procedures?
  2. Are your HIPAA policies and procedures compliant with current regulations?
  3. Do you have a business associates agreement with people who view protected health information?
  4. Are your business associate agreements current?

Latest Insights

July 19, 2018
Article
While it’s great to watch your team grow, hiring new employees can be a frustrating and grueling process.
July 19, 2018
Article
Often, human resources (HR) is over looked, but we’re here to tell you it’s an essential component of any organization and critically important to get right.
July 13, 2018
Article
Here are some idea for giving your new hire a smooth start into your business and alleviating stress for you.
July 13, 2018
Article
The impact of the recent SCOTUS Wayfair decision will continue to have a ripple effect on businesses and state sales tax compliance.
July 9, 2018
Article
The revenue cycle is a complex system and we have historically given much attention to the front-end and back-end while oftentimes leaving the middle functions of the cycle neglected.
July 3, 2018
Article
FASB Accounting Standards Codification Topic 606, Revenue from Contracts with Customers, provides a 5-step framework for determining revenue recognition.
July 2, 2018
Article
As part of the Tax Reform Act of 1986, the “Kiddie tax,” a taxing regime designed to make the transfer of income items by wealthy parents to lower tax paying children less attractive, was implemented.
July 2, 2018
Article
When it comes to your employees, you likely conducted interviews on them when you first hired them.
July 2, 2018
Article
Nearly ten years after the release of the initial exposure draft, FASB issued ASU 2016-02, Leases - The standard may have been issued, but the conversation about this re-write of legacy guidance has not slowed.