What Does the HIPPA Phase2 Audit Program Mean for Providers
Tuesday, April 19th, 2016HIPAA Phase 2 Audit Program Announced by OCR
The HHS Office for Civil Rights (“OCR”) has Officially announced The commencement of its 2016 Phase 2 HIPAA Audit. In Phase 2, OCR Will be reviewing the policies and procedures of covered entities and their business associates. This phase of audits is intended to determine whether providers have properly implemented and satisfy standards and implementation specifications of the privacy, security, and breach notification rules. For the most part, Phase 2 audits will include only document review to determine compliance with policy and procedure requirements. In cases of noncompliance, the initial document review may turn into a formal site visit and more complete HIPAA audit.
The OCR will be sending an email to covered entities and business associates requesting verification of an entity’s address and contact information. This will be followed by transmission of a pre-audit questionnaire asking for information about the size, type, and operations of covered entities and business associates. This information will be used in conjunction with other information to create potential audit subject pools. It is critical that providers respond to the request for information within the specified timeframes. Failure to respond may increase the chances of further audit and scrutiny. More details will be forthcoming from OCR regarding audit protocols in the near future.
A provider’s chance of audit are much greater under the phase 2 audit program than under the prior phase. Not all providers will be subject to audit. OCR is using the increased risk of audit to assure that providers make preparations and enhance their policies, procedures, business associates agreements and other compliance documentation and practices. Given the public nature and time that providers have been given to get their ship in order, audits are likely to be less forgiving that the previous phase.
What does this mean to providers? Now is the time to make certain that HIPAA practices, policies and procedures are in compliance with legal requirements. Providers may consider performing an effectiveness audit of their HIPAA policies and process to identify any gaps in policy and practice that could lead to further investigation under the phase 2 program. Providers assure that their information privacy program includes all necessary elements and would withstand and audit. Even though no specific provider is certain to be audited, some certainly will be. Every provider needs to be ready for this possibility.
