The HHS Office for Civil Rights (OCR) has shared information about Phase 2 of its HIPAA Audit Program – including the timing, focus and approach of these audits. Rebecca Williams, RN, JD of Partner at Davis Wright Tremaine offered insights and tips for health care providers preparing for Phase 2 Audits in a recent presentation sponsored jointly by ID Experts.
As we shared in a previous blog post, Phase 1 of the OCR Audit program was completed by KPMG and included 115 audits through December of 2012. The major findings included many items relating to security, with 60% of all findings fitting into this area. Furthermore, two-thirds of the covered entities had no complete computer security risk assessment. Security only represented 28% of the total number of findings – so providers had a disproportional challenge with compliance with the Security Rule.
Wright pointed out that the most common cause of findings and observations during Phase 1 included:
- The entity was unaware of the requirement
- There was a lack of application of sufficient resources
- The implementation was incomplete, and
- The entity completely disregarded the regulation.
Specific security requirements that many entities were unaware of included the Risk Assessment (as previously mentioned), Media Movement and Disposal and Audit Controls and Monitoring.
As a result of the Phase 1 findings, OCR will conduct three types of audits in Phase 2—100 Privacy Audits, 100 Breach Audits and 150 Security Audits (projected breakdown by covered entity type below). Healthcare providers will represent 2/3 of covered entities to be audited. Interesting to note is that hospital employee health benefit plans are covered health plans under HIPAA and will be treated as a separate and different entity than the hospital.
Phase 2 Audit Distribution Projections
| Entity Type | Privacy | Breach | Security |
| Covered Entities | 100 | 100 | 150 |
| Health Plans | 33 | 31 | 45 |
| Providers | 67 | 65 | 100 |
| Clearinghouses | – | 4 | 5 |
The covered entities to be audited in Phase 2 have already been selected, with address verifications sent out this spring and a pre-audit survey early this summer to help OCR identify business associates to be audited in 2015. About 350 covered entities are expected to receive notification letters in the fall for the first round of Phase 2 audits. Once a letter is received, an organization or individual provider has 2 weeks to respond.
Since 2 weeks is a very short time, it pays to be proactive by preparing in advance. If you received an address verification letter, you may want to take these steps now:
– Understand the audit protocols and best practices for responding in an audit
- The audits are anticipated to be mostly “desk audits” completed mostly by internal OCR staff members
- Be timely, honest and complete when responding
- Don’t submit extraneous information or create new policies or support documentation after you have received your official audit notice – it won’t even be considered
– Do a pre-audit assessment to assess your readiness. Answer questions like:
- Are your policies and procedures and your Notice of Privacy Practices updated to reflect the Omnibus Rule changes?
- Are you prepared to provide copies for individuals requesting access to PHI?
- Have you completed a professional and thorough risk analysis (or most recent annual update). Do you have an active and ongoing risk management process?
- Have you identified all locations of PHI and all potential vulnerabilities and threats (internal and external) to this data? Furthermore, have you proactively implemented methods to secure all PHI?
– Review these specific anticipated areas that HHS has indicated will be the focus for the audits and be sure you are compliant:
- Privacy: Notice and Access Procedures. Make sure your Notice of Privacy Practices complies with the requirements of the Omnibus Rule, that you distribute it to all new patients, and that you obtain written acknowledgement from patients. Regarding access procedures, make sure your policies provide detailed information regarding patient right of access to their records (including electronic access!) and the right to request amendment.
- Breach: Content, Timeliness of Notifications, and good written policy. Make sure that you have a detailed policy for responding to breaches.
- Security: Risk Analysis and Risk Management. If you don’t have a recent risk analysis, now would be a good time to get immediate professional help!
