Are you Ready for an Onsite Audit from the OCR?

by Sarah Harvey / November 19th, 2014

Phase 2 of HIPAA Audit Program Expected in 2015

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has always enforced HIPAA compliance. Recently, they have announced plans to proceed with Phase 2 of the HIPAA audit program, a more proactive approach to overseeing HIPAA compliance.

Supervision is coming. The OCR is determined to begin performing periodic audits to ensure that Covered Entities and Business Associates are complying with the HIPAA Privacy, Security, and Breach Notification Standards. The purpose of this new oversight approach is to monitor that efforts are being made to provide regulatory protections and individual rights, identify best practices as well as common risks and vulnerabilities, and to encourage consistent awareness of compliance obligations.

This new phase of audits is expected to begin in 2015 and any Covered Entity and their Business Associates are subject to be audited. This includes Covered Entities such as health plans of all types, health care clearinghouses, individual and organizational providers. Business Associates are selected through their Covered Entities and includes Health Information Organizations, E-prescribing Gateways, Personal Health Record Vendors, and Entities providing Data Transmission Services for PHI and that require routine access to such PHI.

A pool of 550-800 Covered Entities will be selected to complete a pre-audit survey. Following the review of the results, approximately 350 Covered Entities will be audited as well as their Business Associates. In other words, if you’re a Business Associate working for a high profile entity, you will get a visit from the OCR.

With these audits beginning in a few months, it’s important to begin prioritizing accordingly. These comprehensive onsite audits will focus on specific findings from Phase 1 of the audit program. The OCR has announced specific plans to focus on the following:

• Security Risk Analysis and Management
• Breach Content and Effectiveness of Notifications/Reporting to CE
• Privacy Notices and Access to Records
• Proper Safeguards and Adequate Training of Policies and Procedures
• Device and Media Controls, Transmission Security
• Encryption/Decryption and Physical Access Controls

Use this time to find gaps in your Policies & Procedures and start remediating from there. Do you have someone overseeing your compliance efforts? It’s important to make sure your organization is establishing and implementing physical, administrative, and technical safeguards to protect PHI. If compliance and security are important things among the culture of your organization, it should begin by the tone from the top. Every individual in your organization needs to understand what HIPAA compliance is and the “dos and don’ts“ of everyday operations through comprehensive training. Your compliance program needs to be organized and deliberate to properly demonstrate compliance with the HIPAA Rules. Complete a Risk Assessment to determine what remediations to your Policies & Procedures need to be prioritized.

Has your organization implemented the new Omnibus Rule? Your program should reflect your privacy and security practices. Do you know who your vendors are? Make sure the companies you’re partnering with can be trusted. So what if you have all necessary controls in place to protect PHI if the companies you’re working with aren’t doing the same?

The time to start planning is now. This enhanced scrutiny of your privacy and security controls is inevitable. Engage a third party auditor. Conduct an internal Mock Audit. Don’t be surprised by a visit from the OCR.

For more information about HIPAA Compliance or help with preparing for Phase 2, contact us today.