5 Ways to Prepare for a Phase 2 HIPAA Audit

by Sarah Harvey / June 29th, 2016

Have you received a questionnaire from the OCR regarding Phase 2 of the HIPAA audit program? Are you uncertain about how to prepare for the possibility that you will be selected for an audit? The Office for Civil Rights (OCR) has begun sending out address verification letters and collecting information on potential covered entities and business associates who may be selected for a Phase 2 HIPAA Audit. The pressure is finally on, and in the world of regulatory compliance in healthcare, it’s better to be prepared than surprised.

KirkpatrickPrice has some helpful tips for covered entities and business associates on areas of focus for each of the Privacy, Security, and Breach Notification Rules. Here are 5 ways you can prepare for a potential Phase 2 HIPAA Audit:

1. Review Notice of Privacy Practices

Covered entities should evaluate their compliance with all of the required elements relating to patient rights, patient choices, covered entities obligations, and contact information.

2. Review your Business Associate Agreements

Covered entities should also review their business associate agreements to ensure the agreements are current, specifically outline the expectations of the business associate, and are in place with all business associates.

3. Conduct a Security Rule Risk Analysis

To comply with the Security Rule, covered entities and business associates should conduct a risk analysis to identify all systems that include electronic protected health information (ePHI), potential vulnerabilities and threats to that ePHI, the impact that an incident involving ePHI could have on your organization, and the controls in place to reduce the risks of an ePHI incident.

4. Review Policies and Procedures related to PHI Vulnerability

Covered entities and business associates should also review all of their policies and procedures related to all PHI vulnerability, accessibility, and integrity in order to ensure that they are accurate and comprehensive. It’s also important to ensure that these policies and procedures have been communicated to everyone within the organization.

5. Evaluate Breach Notification Policies and Procedures

Lastly, covered entities and business associates need to evaluate their breach notification policies and procedures. Covered entities should review the content of their breach notification to patients who have been affected to ensure that the notice includes the required elements.

If you’re finding yourself stressing about whether you are prepared for a potential Phase 2 HIPAA Audit from the OCR and don’t know where to begin, we’re here to help. Contact us today for information about our HIPAA Risk Analysis, Audit, and Policy and Procedure development.