How to prepare for Phase 2 of HIPAA audits

While only a fraction of providers will face this scrutiny, organizations that implement these measures now will facilitate future audits and improve HIPAA compliance.


Phase 2 HIPAA audits are here. It’s no longer a matter of when. The question is: Are you ready?

On March 21, 2016, the HHS Office for Civil Rights (OCR) launched the second phase of audits for compliance with HIPAA privacy, security and breach notification rules. And in his July 18, article, Second phase of HIPAA audits shifts into high gear, HDM’s Managing Editor Greg Slabodkin informed us that according to OCR, letters were delivered via email to “167 health plans, healthcare providers and clearinghouses” on July 11. Unlike the pilot audits that focused only on covered entities, Phase 2 targets both covered entities and their business associates.

While most of the Phase 2 audits will be desk audits, some onsite audits will be conducted. Phase 2 audits will focus on areas with high occurrences of noncompliance in Phase 1, particularly issues raised during data breach investigations. These include risk analysis and management, notice of privacy practices, timeliness of breach notification, reasonable safeguards, facility access control, and workforce training on policies and procedures.

To prepare for Phase 2 audits, covered entities and business associates should review their HIPAA privacy, security and breach notification policies and confirm that the following requirements are in place and current:

Comprehensive documented risk assessment. Promptly address any deficiencies and complete all action items. Build on the assessment outcomes to create a strong risk assessment management program. Conduct a follow-up security risk analysis periodically to identify, address and document deficiencies that may occur.

Written HIPAA policies and procedures. These should reflect privacy and security standards along with any risks or vulnerabilities identified during the assessment process.

Incident response plan for responding to breach of protected health information (PHI). Implement breach notification policies and procedures that are aligned with requirements under the HIPAA breach notification standards. Conduct practice rounds to prepare staff for a real event should it occur.

Current Notice of Privacy Practices. Provide printed copies of the most recent notice to patients and also make the notice available on the organization’s website.

Safeguards to protect all forms of PHI. This applies to paper, electronic and verbal PHI, including mobile devices and storage media. For employees who have personal devices, implement a BYOD policy aligned with HIPAA standards. Keep an up-to-date inventory of all systems and mobile devices.

Workforce training program. Conduct and document training for new employees. Conduct and document ongoing training for all workforce members.

Business associate agreements. Organizations must maintain a current inventory of all business associates. Agreements should be updated and implemented in compliance with current HIPAA requirements.

PHI transmission policy. Verify that all PHI is encrypted, or document a risk analysis to support the decision not to use encryption technology.

Even if your organization is not selected for a Phase 2 audit, implementing judicious measures now will support future audits and improve HIPAA compliance.

It doesn’t just end with an audit occurring within the four walls of a healthcare organization. With more healthcare professionals working from home, there is growing concern about the possibility of “at-home” audits—if not now, these may happen in the near future. We’re operating in a virtual world—building a remote workforce, and many HIM departments are sending people home—coders, transcriptionists, even management staff.

Suppose OCR conducts an onsite audit at your facility and finds that some employees work from home. You must be prepared for the inevitable questions. How are you protecting information offsite? What measures are you taking to make sure PHI is secure? What policies and procedures are in place to address specific issues of at-home worksites? If you’re preparing for OCR audits—or any audits—these are increasingly important points to consider.

As a business associate, CIOX Health is taking a proactive approach in case auditors want to know how workers at home are being audited. Options might include Skype, Facetime or Hangouts. Here are some basic questions to ask employees when evaluating at-home privacy and security risks:
  • Where are you located in your personal residence?
  • Is your workspace private?
  • Are passcodes properly concealed, not posted in the workspace?
  • Do you use a virtual privacy network (VPN)?
  • Do you have the capability to print information?
  • Do you have appropriate shredding capability?
  • Is your computer set to shut down (encryption mode) in your absence?

These questions are just the beginning of the conversation. It is critical to communicate clear expectations to employees who work at home—along with consequences if they fail to maintain privacy and security according to your policies and procedures.

Our company’s work-from-home policy defines the telecommuting work arrangement, including comprehensive privacy and security practices. The telecommuting employee must sign an agreement to ensure the protection of proprietary information and PHI, and to maintain the same level of confidentiality that exists on the company premises. If issues arise, there are several options depending on the severity of noncompliance—corrective action, education and training, increased audits, return to in-house, or termination of employment.

Although current OCR requirements do not specifically require at-home audits, the regulations clearly state that all reasonable precautions must be taken to ensure that all information is secure and privacy is maintained.

The best way to mitigate regulation issues is to have a solid HIPAA program in place. And, organizations that have also implemented successful IG initiatives will be well prepared to demonstrate best practices that proactively identify and address risks to PHI.

HIM must work closely with IT and other departments—risk management, C-suite, compliance, training and education—to properly prepare for audits. HIM directors and their staff understand the content and use of PHI, where it is most likely to be at risk, and how to protect it. As experts in HIPAA and information governance practices, HIM professionals can lead their organizations through a successful audit.

More for you

Loading data for hdm_tax_topic #care-team-experience...