OCR Announces Phase 2 HIPAA Audit Program03.25.16
Earlier this week, the Health and Human Services Office for Civil Rights (OCR) announced the start of the 2016 Phase 2 HIPAA Audit Program, by which the OCR will review the policies and procedures adopted and employed by covered entities and their business associates to comply with the applicable requirements of the HIPAA Privacy, Security and Breach Notification Rules. Although Phase 1 (conducted in 2011 and 2012) focused exclusively on covered entities, the new round of audits will include business associates in addition to covered entities, and is expected to include a wide range of healthcare providers, health plans, healthcare clearinghouses and business associates across the healthcare spectrum - factoring in size, types and operations of potential auditees.
These audits will primarily be desk audits (whereby audited entities will be required to submit requested documents online via a new secure audit portal on the OCR’s website), although some on-site audits will be conducted. And, although the OCR has indicated that it intends to use these audits primarily to aid the OCR in providing education and guidance to the industry, OCR has made clear that, should an audit report indicate a “serious compliance issue,” OCR may initiate a compliance review or investigation, which could lead to monetary penalties or corrective action.
To prepare your organization for a potential Phase 2 audit, we recommend the following steps:
- Prepare a list of your organization’s business associates with contact information, and ensure compliant Business Associate Agreements are in place with each business associate.
- Ensure your organization has completed an enterprise-wide security Risk Analysis and implemented a Risk Management Plan to address all of the potential risks and vulnerabilities to electronic PHI that your organization maintains, accesses or transmits across its entire IT infrastructure, including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes. Note: a security risk analysis performed for EHR Meaningful Use purposes may not be sufficient for HIPAA purposes if any electronic PHI is accessed, transmitted or maintained outside of the organization’s certified electronic health record technology (CEHRT).
- Ensure your organization has adopted written policies and procedures for complying with all applicable HIPAA Privacy and Security Rule requirements, including requirements for safeguarding PHI , whether in electronic or paper form, and for promptly identifying and reporting breaches and security incidents.
- Ensure your organization’s HIPAA policies governing patients’ rights to access and obtain copies of their medical records are up-to-date and consistent with recent OCR guidance.
- Confirm that your organization has sufficient data backup and contingency planning policies and processes in place to ensure the availability and integrity of electronic PHI in the event of an emergency or other system failure. Healthcare providers are increasingly becoming the victims of ransomware attacks.
- Ensure that your organization has adopted encryption technologies for all systems and devices (including mobile devices) that access PHI or has documented the risk analysis supporting the decision not to employ encryption. Note: although encryption is an addressable (not mandatory) standard, OCR has made clear that it expects organizations to adopt encryption technologies as a reasonable security measure or to have a really good reason why it has not.
- Ensure that your organization has adopted appropriate and comprehensive device and media control policies. Lost or stolen laptops and other portable devices account for about a third of large breaches reported to the OCR.
- Confirm that your organization’s workforce members regularly receive HIPAA training necessary and appropriate for their job duties and that training logs are maintained in accordance with HIPAA requirements.
- For covered entities, confirm that your organization has an up-to-date Notice of Privacy Practices.