Preparing for Phase 2 HIPAA Audit Compliance

by Sarah Harvey / March 23rd, 2016

The OCR has just announced that the Phase 2 HIPAA Audits have officially begun. The OCR is currently gathering information to determine which covered entities and business associates will be included in the auditee pool. If you haven’t already prepared for Phase 2 HIPAA Compliance, knowing where to begin may seem a bit overwhelming. Understanding the background of the OCR’s supervision of HIPAA Compliance is a good place to start to determine what steps to take to ensure that your organization will be prepared for a potential onsite audit.

Supervision Background

Supervision originally began in 2009 with HITECH Section 13411, which declared that Covered Entities (CE) and Business Associates (BA) would be subject to periodic audits. The OCR then had the authority to supervise both CEs and BAs, and as a result, in 2011/2012, the OCR began conducting Phase 1 Audits. Once the results were evaluated, the Phase 2 audits were scheduled to begin in 2014. After a brief delay, the Phase 2 audit program is now officially underway.

Evaluation of Phase 1 – Lessons Learned

Let’s take a look at the lessons learned from the findings of Phase 1 to see the most common shortcomings in organizations’ HIPAA compliance. During Phase 1, 115 entities were audited. The results of the audit period show that of those entities, 65% of the findings were in violation of the HIPAA Security Rule, 81% were from healthcare providers, and 66% were from level 4 entities (smaller than $50 million in revenue). 42% of the issues with the Security Rule related to Administrative Safeguards, 40.50% related to Technical Safeguards, and 16.76% related to Physical Safeguards. (Linda Sanches, OCR 2012).

Administrative Safeguards help manage security measures taken to protect PHI. These safeguards include things like policies and procedures, risk analysis, risk management, and proper documentation of those things.

Technical Safeguards are for governing who has access to electronic PHI. Technical Safeguards include patching services, firewall configurations, antivirus, network monitoring, etc.

Physical Safeguards protect electronic information systems, buildings, and equipment from natural and environmental disasters, as well as unauthorized intrusion. Physical Safeguards refer to things like locks on doors, securing sensitive areas, and securing PHI.

Focusing on the results of Phase 1, and focusing on the Security Rule, should be your starting point in preparing for Phase 2 HIPAA Compliance.

Following the Trends

Looking at the trends that we have seen with HIPAA enforcement actions and settlements leading into Phase 2 HIPAA Audits, there’s an obvious emphasis on Risk Analysis. As noted from the Phase 1 Audit results, most organizations struggled with the Security Rule, and that begins with a Risk Analysis. To perform a Risk Analysis, you must ask yourself, what are the assets we need to protect? Where do we hold PHI? What are our handling processes when dealing with PHI? What are the risks to the PHI in our possession? Is this a high risk or a low risk? Once you understand the answers to these questions, you can then prioritize and properly manage these risks.

The second trend is data breaches. We still constantly see data breaches in the headlines, and when you look at the breaches that are happening in the healthcare industry, the common cause is theft of electronic media. This could be a lost laptop, thumb drive, tape backup, or off-site media storage that was lost with unencrypted data. The most important thing to take away from this trend would be to encrypt everything, including removable media and mobile devices.

The final trend to takeaway from the Phase 1 HIPAA Audits is actions by the Attorney’s General. The Department of Health and Human Services (HHS) conducted trainings for the AG’s offices across the U.S. and the HITECH Act gave some enforcement action to the states. It may be helpful to be aware that state authorities can and may get involved in the event of an incident or consumer complaints.

What to Expect with Phase 2 HIPAA Compliance Audits

There are three major changes to expect with the upcoming Phase 2 HIPAA Audits, which are a Protocol Update, Online Portal, and Desk Audits. So far, the updated protocol has not been published. The current HHS protocol is on the HHS’s website, and is a good place to start when considering what we need to do to prepare. The Auditor column shows exactly what the OCR will be looking for and how they will follow certain procedures in determining your compliance with HIPAA.

There will be an Online Portal that will be used for data collection. Each entity will be given access to this portal where they will then upload documentation and answer questions that will be delivered to the OCR audit team. The evidence that you provide will be used to validate and determine whether or not you are in compliance with HIPAA.

Another difference with this phase of audits is the Desk Audit. The Desk Audit will be the remote audit submitted through the online portal of questionnaires and requests for information. This doesn’t include an onsite component but it’s important to keep in mind the kinds of questions the auditors will be asking themselves while reviewing your documentation. How did they answer the questions? What documents did they submit? This aspect of Phase 2 will be led by the OCR with contracted support from KirkpatrickPrice among a few other firms.

Phase 2 Desk Audits

500 questionnaires will be sent out to a group of Covered Entities. Of those 500, 200 Covered Entities will be selected and 40 Business Associates (which is determined based on the selected CEs). It is important to answer the questionnaires as thorough as possible because there will be no interaction between you and your auditor during this phase. Your documentation needs to be clear and concise so they can review and make their findings. After the findings have been drafted, they are issued and sent to the entity to perform a management review of the report. Lastly, the final report will be issued, and is where settlements and enforcement actions can occur depending on the outcome of the audit.

What Covered Entities Should Know

As a Covered Entity, three areas that will be reviewed during a Phase 2 Desk Audit are the Security Rule, identifying and notifying patients of data breaches, and the Privacy Rule. The questionnaires relating to the Security Rule will focus on things like device and media control. How do you control the transport of media throughout your organization? How do you control and secure devices? Another thing to focus on is the transmission of data and transmission security. How are you securing the electronic sending of data across the internet or across different systems in your organization? They will also focus on your Risk Analysis and Risk Management. Are you performing a formalized analysis on the risks posed to the PHI you handle? Do you understand what your risks are? What is your Risk Management plan? How are you assessing and managing those risks?

What Business Associates Should Know

For business Associates, the Security Rule should be the main focus. Organizations like managed IT vendors, records storage facilities, and application service providers should focus on Risk Analysis, Risk Management, and data breach notification to Covered Entities.

Phase 2 Onsite Audits

The Phase 2 HIPAA Audits will include both Covered Entities and Business Associates and will consist of 24 onsites, 3 to 5 days in length. These will be more comprehensive than the Desk Audits and will be conducted, in person, by an officer of the OCR. The types of things that will occur during the audit are interviews of personnel to corroborate information and obtain an understanding of how the employees operate, an examination of operations and how data flows through the entity, a review of policies and procedures, and observation of processes for compliance.

How To Prepare

  1. Conduct a Security Rule risk assessment and implement a risk management plan.
    • Evaluate your policies and procedures related to PHI vulnerability, accessibility, and integrity. Are they adequate and cover all necessary areas? After all risk are identified, what needs to be adjusted?
    • Identify all systems that include PHI by doing a data flow walkthrough. How does PHI enter your environment? Where does it go? What are the risks?
    • Evaluate security measures to reduce risk as part of your risk management plan. Now that you’ve identified the risks, what are you, as an organization, going to put in place to address those risk. Be sure to document your risk management plan.
  1. Breach Reporting (impermissible acquisition, use, access, or disclosure of PHI)
    • Evaluate your policies and procedures for providing notice and follow-up.
    • Evaluate your breach notice content and timeliness.
  2. Privacy Notice and Access
    • Evaluate your policies and procedures.
    • Evaluate privacy notice practices.
    • Evaluate Business Associate Agreements.


For more information regarding the Phase 2 HIPAA Audits, contact us today. To view the press release issued by the Office for Civil Rights, click here.