Health Law Blog - Healthcare Legal Issues

Archive for April, 2016

What Does the HIPPA Phase2 Audit Program Mean for Providers

Tuesday, April 19th, 2016

HIPAA Phase 2 Audit Program Announced by OCR

HIPAA Phase 2 Audit ProgramThe HHS Office for Civil Rights (“OCR”) has Officially announced The commencement of its 2016 Phase 2 HIPAA Audit. In Phase 2, OCR Will be reviewing the policies and procedures of covered entities and their business associates. This phase of audits is intended to determine whether providers have properly implemented and satisfy standards and implementation specifications of the privacy, security, and breach notification rules. For the most part, Phase 2 audits will  include only document review to determine compliance with policy and procedure requirements. In cases of noncompliance, the initial document review may turn into a formal site visit and more complete HIPAA audit.

The OCR will be sending an email to covered entities and business associates requesting verification of an entity’s address and contact information. This will be followed by transmission of a pre-audit questionnaire asking for information about the size, type, and operations of covered entities and business associates. This information will be used in conjunction with other information to create potential audit subject pools. It is critical that providers respond to the request for information within the specified timeframes. Failure to respond may increase the chances of further audit and scrutiny. More details will be forthcoming from OCR regarding audit protocols in the near future.

A provider’s chance of audit are much greater under the phase 2 audit program than under the prior phase.  Not all providers will be subject to audit. OCR is using the increased risk of audit to assure that providers make preparations and enhance their policies, procedures, business associates agreements and other compliance documentation and practices.  Given the public nature and time that providers have been given to get their ship in order, audits are likely to be less forgiving that the previous phase.

What does this mean to providers? Now is the time to make certain that HIPAA practices, policies and procedures are in compliance with legal requirements. Providers may consider performing an effectiveness audit  of their HIPAA policies and process to identify any gaps in policy and practice that could lead to further investigation under the phase 2 program.  Providers assure that their information privacy program includes all necessary elements and would withstand and audit.  Even though no specific provider is certain to be audited, some certainly will be.  Every provider needs to be ready for this possibility.

John H. Fisher

Health Care Counsel
Ruder Ware, L.L.S.C.
500 First Street, Suite 8000
P.O. Box 8050
Wausau, WI 54402-8050

Tel 715.845.4336
Fax 715.845.2718

Ruder Ware is a member of Meritas Law Firms Worldwide

The Health Care Law Blog is made available by Ruder Ware for educational purposes and to provide a general understanding of some of the legal issues relating to the health care industry. This site does not provide specific legal advice and you should not use the information contained on this site to address your specific situation without consulting with legal counsel that is well versed in health care law and regulation. By using the Health Care Law Blog site you understand that there is no attorney client relationship between you and Ruder Ware or any individual attorney. Postings on this site do not represent the views of our clients. This site links to other information resources on the Internet; these sites are not endorsed or supported by Ruder Ware, and Ruder Ware does not vouch for the accuracy or reliability of any information provided therein. For further information regarding the articles on this blog, contact Ruder Ware through our primary website.