AHIMA toolkit helps facilities prepare for HIPAA Phase 2 audits

With the HHS Office for Civil Rights’ Phase 2 HIPAA audit program in full swing, the American Health Information Management Association has released a toolkit to help covered entities get ready for on-site audits by OCR.

According to Kathy Downing, senior director at AHIMA, Phase 2 audits include both desk and onsite visits. However, she contends that Phase 2 audits conducted onsite will examine a broader scope of HIPAA requirements than those addressed during the initial desk audits.

Also See: How HIPAA enforcement could change in 2017

Last year, OCR began notifying covered entities that they were selected for the desk audit portion of the program. Phase 2 is also the first time that OCR’s audits will be directly looking at HIPAA compliance for business associates.

“We know that OCR did desk audits in 2016, and they’re currently planning for face-to-face, onsite audits in 2017 for covered entities,” says Downing. “Every organization should be investing time in self-auditing.”

Toward that end, AHIMA’s toolkit covers key aspects of Phase 2 audits, including helping covered entities and business associates understand their respective requirements, as well as detailing industry best practices for meeting their regulatory obligations. In Phase 2 of the audit program, covered entities are reviewed by OCR for HIPAA compliance regardless of whether or not a complaint has been filed against them.

“If OCR finds something and they start to dig deeper, they’re probably going to find other things,” adds Downing. “So it’s best to know what you’re doing well and what you need to beef up.”

Among the topics addressed in the AHIMA external HIPAA audit readiness toolkit are:

  • Introduction to the legal requirements involved in the HIPAA audits
  • Guidance on how providers can prepare for the audits, including an expansion on the HIPAA Audit Protocol
  • Checklists for HIPAA audit steps, forms, policies and procedures
  • List of potential OCR documents requested
  • Master policy template for the privacy and security compliance program

Also See: Feds fine Dallas hospital $3.2M for HIPAA security violations

“There’s a lot of risk associated with non-compliance with HIPAA,” contends Downing, who cites some of the multi-million dollar fines levied by OCR recently. “This idea of self-auditing has become very important.”

Downing notes that AHIMA’s toolkits are free for its members and cost $99 for non-members.

For reprint and licensing requests for this article, click here.