HIPAA audit phase 2 is coming, are you prepared?

HIPAA audit phase 2 is coming, are you ready for it? Under the 2009 Healthcare Information Technology for Economic and Clinical Health Act (HITECH), the Office of Civil Rights (OCR) is required to conduct HIPAA compliance audits of covered entities and business associates. The second phase of this audit is expected to start as early as Fall 2015 or early 2016.

What to expect from phase 2

Unlike the phase 1 audits which only focused on covered entities, the phase 2 audits will assess both covered entities and business associates. In February of 2014, the OCR sent out requests for data from 800 covered entities and 400 business associates. The type of data that the OCR is requesting includes the number of patient visits or insured lives,  use of electronic information, revenue, and many more. Of these requests, the OCR intends on auditing approximately  150 covered entities and 50 business associates. The focus of the phase 2 audits will revolve around areas of noncompliance revealed in phase 1: risk analysis, risk management, and breach reporting.  Ultimately, the goal of the phase 2 audits is to identify best practices, areas of vulnerabilities, and using the results of the audit to provide technical assistance to covered entities and business associates.

Tips on preparing for phase 2 audits

• Make sure that all communications from the OCR are directed to people who is in charge of handling the audit within your organization. Considering that the turnaround time for a response to the request is only 10 days, you do not want to be get caught off-guard because the requests did not go to the right people.
• If not done already, conduct a risk assessment and retain all documentation. Make sure that all of your documents in relation to HIPAA is organized, updated, and kept in a central location.
• For covered entities, make a list of all your business associates, the services they provide, and their contact information.
• Review your facility security plans, disaster recovery plans, notices of privacy, and business associate agreements.
• Ensure that you have a breach notification system in place that is compliant with breach notification standards.
• Confirm that all of your employees have been properly trained in regards to HIPAA and that this training is documented.
• Encrypt, Encrypt, Encrypt! Make sure that all of your information systems and software that is responsible for transmitting protected health information (PHI) is encrypted. Otherwise, you'll have to provide the risk analysis justifying your decision to not use encryption.

Considering the financial repercussions and media scrutiny, it is imperative that all covered entities and business associates take steps to prepare for this audit, whether they get audited or not. Paubox can help make sure you're protecting PHI by providing seamless HIPAA compliant email encryption services.