OCR will audit Business Associates too.
Ignore the HHS Office for Civil Rights’ upcoming HIPAA audits at your peril, experts warn.
Disregarding Phase 2 audits is no longer an option, Jared Festner, HIPAA specialist for Irvine, Calif.-based Medical Information Technology Group, said in a statement. “If you think for one minute your [organization] won’t be under the microscope for everything from device encryption, to making sure that every policy and procedure is completely filled out and updated on a yearly basis, you’ll be kicking yourself once you receive fines of up to $1.5 million per offense.”
The delay in Phase 2 OCR audits doesn’t mean that you can relax your efforts to make sure you’re in compliance with all HIPAA regulations, said Charlotte, N.C.-based attorney Chara O’Neale in a blog post for law firm Parker Poe. While the audit portals are still under development, this is a good time to:
• Make sure your HIPAA policies and procedures are up-to-date and meet the latest privacy and security requirements;
• Create a list of all business associates (BAs) that provide services to your organization; and
• Conduct an internal risk assessment to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).
Last year, OCR stated that the Phase 2 audits would focus on specific HIPAA compliance issues, law firm Alston & Bird noted. For CEs, these compliance areas include:
• Risk analysis and risk management (Security Rule);
• Notice of privacy practices (NPP) and access rights (Privacy Rule);
• Content and timeliness of breach notification (Breach Notification Rule);
• Device and media controls and transmission security (Security Rule); and
• Safeguards and training on policies and procedures (Privacy Rule).
For BAs, audits will focus on risk analysis and risk management, as well as breach reporting to the CE, Alston & Bird said. “OCR had also indicated that the audits would be ‘desk audits’ — i.e., document-only audits, without follow-up.”