The long-awaited 2nd phase of the HIPAA audit program of the HHS Office for Civil Rights is now in complete swing. In accordance to OCR, few covered entities have gained notification letters regarding their inclusion in the desk audit portion.
OCR declared that letters were delivered on the day of July 11 through email to 167 health policies, healthcare contributors and clearinghouses. The agency claimed that desk audits will investigate the selected covered entities’ HIPAA agreement.
“These entities have ten business days, until the day of July 22, 2016, to respond to the document appeals,” OCR stated in the announcement. “Desk audits of business associates will follow this fall.”
Phase Two of OCR’s audit program is significantly concentrated on desk audits of policies and processes, compared with Phase 1. OCR expects this approach will enable the agency to be more effective in audits with lesser resources than would be needed to support complete onsite audits for all agencies.
“The desk audits are focused examinations of documentation of entity agreement with some needs of the HIPAA rules,” in accordance to the declaration. “OCR chose these provisions for focus during the desk audits because our pilot audits, as well as our enforcement activities, have surfaced these provisions as frequent places of noncompliance.”
Those HIPAA needs chosen for desk audit review involve:
- Breach Notification Rule—Timeliness of Notification, and Content of Notification.
- Privacy Rule—Notice of Privacy Practices and Content Requirements, Provision of Notice–Electronic Notice, and Right to Access.
- Security Rule—Security Management Process (Risk Analysis), and Security Management Process (Risk Management).
Daniel Gottlieb, a healthcare law attorney and partner at McDermott Will & Emery, asserts that the Phase Two audit program is placing more attention on places of higher threat to the security of secured health data and on pervasive non-agreement, deployed on OCR’s Phase I audit findings and observations, instead of a detailed review of all of the HIPAA standards.
“In situations where an audit unveils a serious agreement concern, OCR might initiate a compliance review of the audited agency that could lead to civil money penalties,” stated Gottlieb. “OCR’s declaration that it has introduced the Phase 2 HIPAA audit program isn’t surprising in light of recent critique of OCR’s HIPAA imposition attempts by the Office of Inspector General and following the various cyber attacks on the healthcare industry.”
Gottlieb suggests various steps that covered entities and business associates should take to make sure that they are ready for a potential Phase 2 audit, involving:
- Confirming that the agency has recently completed a brief assessment of potential security threats and susceptibilities to the agency, in other words, perform a risk assessment.
- Confirming that entire systems and software that transfer electronic PHI employ encryption technology or that the agency has a documented risk analysis motivating the decision not to employ encryption.
- Making sure that the agency has executed a breach notification policy that rightly depicts the content and deadline needs for breach notification under the Breach Notification Standards.
- Confirming that entire action items recognized in the Risk Assessment have been completed or are on a reasonable timeline to completion
In Phase Two of the audit program, covered entities will be observed for HIPAA agreement, regardless of whether a complaint has been submitted against them. When it comes to business associates, Phase Two is the 1st time that OCR’s audit program will be straight searching at business associates.
No comments:
Post a Comment