BreachExchange mailing list archives
Preparing for Phase 2 HIPAA Audits: It’s All About the Documentation
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 19 Feb 2015 19:05:43 -0700
http://www.jdsupra.com/legalnews/preparing-for-phase-2-hipaa-audits-its-70076/ The U.S. Department of Health and Human Services Office for Civil Rights (OCR) will soon begin a second phase of audits of covered entities and business associates evaluating compliance with the HIPAA privacy, security, and breach notification rules. OCR recently announced a slight pause before commencing the audits and a shift in focus, which makes this a perfect time for a hospital to perform a HIPAA compliance check-up to ensure that it is ready if selected for a Phase 2 audit. In September 2014, OCR announced that it was delaying the Phase 2 audits while it works to roll out a Web portal through which covered entities can submit audit data. At a recent conference, OCR Senior Advisor Linda Sanches said, “I’m ready to go, but our technology isn’t quite there yet.” In January 2015, OCR Director Jocelyn Samuels said Phase 2 audits would be “implemented expeditiously” and urged covered entities to keep checking the OCR website for additional information in the coming weeks and months. The random pool of covered entities to be audited has been selected, but as of this writing, we are not aware of any notifications that have been sent. In preparing for a Phase 2 audit, a focus on HIPAA Security Rule standards is advisable. In the Phase 1 audits conducted during 2011 and 2012, security accounted for 60% of OCR’s findings and observations. A hospital’s check-up for a Phase 2 audit should include the following as priority tasks: - Confirm that all action items reflected in a security risk analysis have been completed or are on a reasonable schedule for completion - If the hospital has chosen not to implement any of the Security Rule’s addressable implementation standards, then clear documentation should be available explaining and justifying the decision - Ensure that HIPAA policies and procedures have been approved, implemented, and updated on a regular basis, which is an indicator of an active HIPAA compliance program - Implement a comprehensive breach response plan that reflects the new risk-assessment standard provided in the HIPAA Final Rule The Phase 2 audits will primarily be desk audits that focus on documents only, without on-site auditing. Therefore, proper documentation is particularly critical. Even the failure to sign a policy prior to the date of an audit request may create a presumption of noncompliance. Given the relatively small sample size (perhaps as small as 200 organizations, including business associates), the chances that a particular hospital will be selected for audit are fairly low. However, preparing for an audit will help a hospital avoid sanctions in the event of an OCR investigation—which could be triggered by any breach or patient complaint reported to OCR.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Preparing for Phase 2 HIPAA Audits: It’s All About the Documentation Audrey McNeil (Feb 26)