Preparing for Phase 2 HIPAA Audits: It’s All About the Documentation

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/preparing-for-phase-2-hipaa-audits-its-70076/

The U.S. Department of Health and Human Services Office for Civil Rights
(OCR) will soon begin a second phase of audits of covered entities and
business associates evaluating compliance with the HIPAA privacy, security,
and breach notification rules. OCR recently announced a slight pause before
commencing the audits and a shift in focus, which makes this a perfect time
for a hospital to perform a HIPAA compliance check-up to ensure that it is
ready if selected for a Phase 2 audit.

In September 2014, OCR announced that it was delaying the Phase 2 audits
while it works to roll out a Web portal through which covered entities can
submit audit data. At a recent conference, OCR Senior Advisor Linda Sanches
said, “I’m ready to go, but our technology isn’t quite there yet.” In
January 2015, OCR Director Jocelyn Samuels said Phase 2 audits would be
“implemented expeditiously” and urged covered entities to keep checking the
OCR website for additional information in the coming weeks and months. The
random pool of covered entities to be audited has been selected, but as of
this writing, we are not aware of any notifications that have been sent.

In preparing for a Phase 2 audit, a focus on HIPAA Security Rule standards
is advisable. In the Phase 1 audits conducted during 2011 and 2012,
security accounted for 60% of OCR’s findings and observations. A hospital’s
check-up for a Phase 2 audit should include the following as priority tasks:

- Confirm that all action items reflected in a security risk analysis have
been completed or are on a reasonable schedule for completion
- If the hospital has chosen not to implement any of the Security Rule’s
addressable implementation standards, then clear documentation should be
available explaining and justifying the decision
- Ensure that HIPAA policies and procedures have been approved,
implemented, and updated on a regular basis, which is an indicator of an
active HIPAA compliance program
- Implement a comprehensive breach response plan that reflects the new
risk-assessment standard provided in the HIPAA Final Rule

The Phase 2 audits will primarily be desk audits that focus on documents
only, without on-site auditing. Therefore, proper documentation is
particularly critical. Even the failure to sign a policy prior to the date
of an audit request may create a presumption of noncompliance.

Given the relatively small sample size (perhaps as small as 200
organizations, including business associates), the chances that a
particular hospital will be selected for audit are fairly low. However,
preparing for an audit will help a hospital avoid sanctions in the event of
an OCR investigation—which could be triggered by any breach or patient
complaint reported to OCR.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!