HHS Begins Phase 2 of HIPAA Compliance Audits; Is Your Institution Prepared?
A Health Care Client Alert
The Health and Human Services Office of Civil Rights (“OCR”) is initiating Phase 2 of its compliance audits for HIPAA. OCR plans to audit 350 covered entities (including 100 health care providers, 45 health plans, and five health care clearinghouses) and 50 business associates (including 35 IT-related and 15 non IT-related business associates). While Phase I only involved covered entities, Phase 2 will focus on both covered entities and business associates.
Historically, HHS investigated the following compliance matters the most:
- Impermissible uses and disclosures of protected health information
- Lack of safeguards of protected health information
- Lack of patient access to their protected health information
- Uses or disclosures of more than the minimum necessary protected health information
- Lack of administrative safeguards of electronic protected health information
2014 Phase 2 audits of covered entities will likely focus on:
- Security-‐Risk analysis and risk management
- Breach–Content and timeliness of notifications
- Privacy–Notice and Access
2015 Phase 2 audits of business associates will likely focus on:
- Security–Risk analysis and risk management
- Breach–Breach reporting
- Security–Device and media controls, transmission security
- Privacy–Safeguards, training to policies and procures
Health care providers and their business associates should prepare for a possible Phase 2 audit. Preparations include: (a) confirming that business associate agreements are in place, (b) confirming that assessment of potential security risks have been properly completed, (c) ensuring that proper breach notification policies are in place, (d) ensuring that reasonable and appropriate safeguards for PHI are in place, (e) ensuring proper training of the workforce on HIPAA compliance, (f) confirming the adoption of a facility security plan, and (g) confirming that software transmitting PHI employs encryption technology.
Bodman can provide practical guidance on this matter and others and help your organization ensure that it is ready for a potential audit. If you would like to discuss these or any other legal issues affecting your organization, please contact the chair of our Health Care Law Group, Bill Shipman, at (313) 393-7562 or firstname.lastname@example.org.