The Phase II Audits from the Office of Civil Rights (OCR) are right around the corner! The program, announced by Health & Human Services (HHS) in 2016, was created to take a “snapshot” of HIPAA compliance in the healthcare industry. HHS wants to know how well the guidelines are understood by covered entities and where addition guidance may be required. To date all HIPAA inspections have been driven by reported violations, and a move toward random inspections is an important change in direction.
The Audits Process To-Date
- Emails were sent requesting the name and contact information of the HIPAA contact for each covered entity (CE).
- Some of these CE’s were sent a follow-up email with a survey on practice size and specialty in order to set up audits across the full spectrum of practice sizes and specialties.
- A sampling of those who received the survey were chosen to participate in a Desktop Audit in July 2016. These businesses had 10 days from receipt of the email notification to answer a set of questions focusing on the privacy-side or the security-side of HIPAA and to upload supporting documentation including a list of their business associates (BAs) and their contact information.
- Some of the identified BAs were then required to participate in a similar Desktop Audit.
- In June 2017, the results of the individual Desktop Audits were sent only to the participating CE’s.
The Next Steps
- Statistics from the Desktop audits are being compiled and will be published publicly. This data will not include the names of those audited.
- OCR will launch a series of On-Site Audits. They have proposed that the pool for these audits will be those entities who received the email survey regarding practice size and specialty. Those who participated in the Desktop Audit will not be subject to the On-Site Audits but those who did not respond when asked to participate will definitely be included. These On-Site Audits will take approximately 3-5 days. Like the Desktop Audits there will be no fines assessed from these audits. However, HHS has declared that if they do find something “egregious,” they will call in an inspection that can assess fines.
- Entities audited will be notified of their results.
- Statistics will be compiled and published publicly.
Once HHS has digested the data gathered by the Phase II Audits they will launch a random inspection program. The results of these inspections may generate fines.
Some things that we have learned from the Desktop Audit results already:
Patients must be able to read your entire Notice of Privacy Practice (NPP) on your website. A link to a PDF file is not sufficient.
HHS strongly encourages an annual Risk Analysis, but the rules don’t REQUIRE it. You are also encouraged to perform one any time you make significant changes to your systems.
You must complete a Corrective Action Plan for any issues identified by your Risk Analysis. It must include what action you take to fix your problems and clear documentation on who is responsible for following the plan. Management must be clearly involved and this should be updated annually.
You must have clear policies and procedures in place to manage risk.
The most important thing we learned: No risk analysis will be complete without IT doing a thorough analysis and audit of your computer systems and its vulnerabilities.
TMC has always strongly encouraged this step but HHS has made it clear that you MUST include this. Choose your IT company wisely. Our website lists a group of IT companies to get you started. Some have been HIPAA trained by TMC. If your IT is in-house or not, HHS now offers a certification in HIPPA (ONC Health IT Certification). This would be a good idea to ensure they understand the specifications.