Phase 2 HIPAA Audits to Begin Soon

Phase 2 of the much talked about HIPAA audits will soon begin, and the US Department of Health and Human Services’ Office for Civil Rights (OCR) is all set to review the compliance of covered entities and their business associates with all privacy, security, and breach notification standards set by the Health Information Technology for Economic and Clinical Health (HITECH) Act. These audits, unlike the pilot audits conducted in 2011 and 2012, will include both covered entities and their business associates, focusing on areas of greater risk to security of protected health information (PHI) and pervasive non-compliance.

The upcoming audits will also aim to identify best practices and uncover vulnerabilities and risks that were not identified through other enforcement activities. The findings of the Phase 2 Audit Program will be used by OCR to identify areas where technical assistance has to be developed for covered entities and their business associates. In cases where the audit identifies serious non-compliance, OCR will initiate a review process of the audited organization, which in turn may lead to civil monetary penalties.

So the time is now ripe for covered entities to learn from the findings of the Phase 1 audits, understand the course of the Phase 2 audits, and prepare in advance to face the upcoming audits by taking necessary action and demonstrating compliance. Here is a more detailed look at what covered entities need to know:

Findings from Phase-1

115 covered entities were audited under the first phase of the audit program, and the following results were found:

Only 11% of the covered entities audited did not show any findings
It was found that the smallest covered entities had the maximum difficulty in complying with all three HIPAA standards
About 53% of the audited entities were responsible for 65% of the total findings and observations
Over 60% of the findings were related to Security Standard violations and 58 out of 59 audited entities had at least one finding or observation surrounding Security Standards
More than 39% of the findings were concerned with Privacy Standards, and this was attributed to the lack of awareness about the applicable Privacy Standard requirements
10% of the findings were attributed to lack of compliance with Breach Notification Standards.

What to Expect in Phase-2

While Phase I focused only on covered entities, Phase 2 audits will include both covered entities and their business associates. OCR has randomly selected 550-800 entities through the National Provider Identifier database and America’s Health Insurance Plans’ databases of health plans and healthcare clearing houses. These entities identified by OCR will soon be issued a mandatory pre-audit screening survey, which will address the organizations’ size, location, services, and contact information. Based on the survey findings, around 350 covered entities, including 232 healthcare providers, 109 health plans, and 9 healthcare clearing houses will be selected for the Phase 2 audits. A wide range of covered entities will be selected by OCR, who will be audited between October 2014 and June 2015.

The shortlisted entities will be notified by OCR by this fall, and will be asked to identify and provide contact details of their business associates. Based on this information, the business associates that will participate in the Phase 2 audits will be selected.

The Audit Process

Once the covered entities and business associates have been identified, they will have two weeks to respond to OCR’s audit request. The data request will list out the content, file names, and other documentation required, for demonstrating compliance. The auditors may then contact these entities for clarification and additional documentation. Failure to respond to these requests may lead to a referral to the applicable regional office of OCR for a compliance review.

Approximately 150 of the 350 selected entities and 50 selected business associates will be audited during this phase, for compliance with Security Standards, 100 entities will be audited for compliance with Privacy Standards, and 100 entities for compliance with the Breach Notification Standards. Unlike Phase 1, this phase of audits will be conducted as desk reviews with an updated audit protocol and not on-site. This audit protocol will be made available on the OCR website so that covered entities and their business associates may refer to it for internal compliance assessment purposes.

The second phase will primarily target all those HIPAA standards that were identified as being the highest sources of non-compliance in the first phase. These will include risk analysis and management, content and timeliness of breach notifications, notice of privacy practices, individual access, Privacy Standards’ reasonable safeguards requirement, training to policies and procedures, device and media controls, and transmission security.

OCR is also likely to focus on the Security Standards’ encryption and decryption requirements, facility access control, breach reports and complaints, etc., in the audits to be conducted in 2016. The Phase 2 Audits of business associates will focus on risk analysis, risk management and breach reporting to covered entities.

Following the audits, OCR will present a draft report to the organizations and allow them to comment before it is finalized. Their responses will be taken into account before the final report is issued.

Preparing for the Phase 2 Audits

All covered healthcare entities and business associates should take the following steps to ensure that they are well-prepared to face the upcoming audits:

Make sure that a comprehensive assessment of the security status of the organization has been completed in the recent past to identify potential security risks and vulnerabilities.
Ensure that all action items listed out following the risk assessment, have been completed or will be completed within a reasonable timeline.
Prepare a complete inventory of business associates for handling data requests for the Phase 2 audits.
In cases where the organization has not implemented any of the addressable implementation standards for any of its systems, make sure there is adequate documentation to explain why implementation of such standards was not reasonable and appropriate, and list out all alternative security measures that have been implemented.
Confirm whether a breach notification policy that accurately reflects the content and deadline requirements under the Breach Notification Standards, has been implemented.
Ensure that not just a website privacy notice but a compliant Notice of Privacy Practices is in place.
Confirm whether reasonable and appropriate safeguards for PHI are in place, and they cover paper and verbal PHI.
Make sure workforce members are adequately trained on HIPAA standards that are necessary for them to perform their job duties.
Maintain an inventory of information system assets, including mobile devices even in BYOD environments.
Make sure all systems and software processing or transmitting electronic PHI are encrypted, and in cases where encryption has not been done, ensure that adequate documentation with reasons supporting the decision to not employ encryption, is in place.
Confirm whether a facility security plan is available at each physical location with access to PHI
Review the security policies from time to time and identify actions that have not been completed as required. This should cover physical security plans, disaster recovery plans, emergency access procedures, etc.

At this crucial juncture, where covered entities can leave no stone unturned to completely secure their PHI and comply with the requirements of HIPAA, a comprehensive automated security posture, compliance, and risk management solution such as Aegify Security Posture Management or Aegify SecureGRC or Aegify Risk Management can prove highly valuable for healthcare covered entities and their business associates in meeting the audit requirements in a simple, timely, and cost-effective manner.