Department of Health and Human Services Launches Long Awaited HIPAA Audit – Phase 2

Department of Health and Human Services Launches Long Awaited HIPAA Audit – Phase 2

Early last month, the Department of Health and Human Services Office for Civil Rights (OCR) officially launched Phase 2 of its HIPAA Audit Program. Phase 2 is an extension of 2011’s Pilot Program to review an entities adherence to HIPAA’s Privacy, Security and Breach Notification rules. According to the OCR, the use of health information technology and continual expansion of said technology creates increased risk of healthcare violations, and exposes consumer privacy.

Initially begun in 2011, the HHS OCR, in conjunction with the Health Information Technology for Economic and Clinical Health Act, (HITECH) implemented a program to assess the controls and processes of covered entities. With a narrow focus on only 115 covered entities, the OCR completed its initial round in December 2012. In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. For this phase of the audit program, OCR is identifying pools of covered entities and business associates that represent a wide range of health care providers, health plans, health care clearinghouses and business associates. These audits will primarily be desk audits, although some on-site audits will be conducted.

How will the audit program work?

From the HHS.Gov Site:
“The audit process will employ common audit techniques. Entities selected for an audit will be sent an email notification of their selection and will be asked to provide documents and other data in response to a document request letter. Audited entities will submit documents on-line via a new secure audit portal on OCR’s website. There will be fewer in person visits during these Phase Two audits than in Phase One, but auditees should be prepared for a site visit when OCR deems it appropriate. Auditors will review documentation and then develop and share draft findings with the entity. Auditees will have the opportunity to respond to these draft findings; their written responses will be included in the final audit report. Audit reports generally describe how the audit was conducted, discuss any findings, and contain entity responses to the draft findings.”

How can the audits affect me?

If you are an organization concerned about remaining compliant with HIPAA and HITECH, ensure you are up to date on best practices from existing vendors. As a reminder, HIPAA violations can range from $100 to $50,000 per instance, depending on severity and level of neglect. An audit can be an eye opening experience for a number of organizations, and one that could come with a hefty price tag.

Concerned about faxing compliance?

Consult Retarus’ HIPAA Compliance guide for Faxing Services to review the impact of non-compliance on organizations as well as strategies and best practices for remaining HIPAA compliant with cloud messaging technology. A guide can be requested through our website.