Phase 2 of HIPAA Audit Program Launches

Bacho/shutterstock.com

With many competing priorities facing physician practices, HIPAA compliance and security is not a topic that usually makes it to the top of the list. But this is not the case with the Department of Health and Human Services’ Office for Civil Rights (OCR), because it has initiated a new phase of audits of physician practices, health plans, clearinghouses and business associates to assess compliance with HIPAA Privacy, Security and Breach Notification Rules. Because most practices underestimate the importance of reviewing and updating their privacy and security guidelines, it is important to pay close attention to your covered entities and business associate agreements as they relate to patient information.

In 2014 through 2015 (Phase 1), the OCR began work on building its audit protocol to glean information on covered entities’ compliance with the HIPAA Privacy, Security and Breach Notification Rules. The Phase 1 assessments of healthcare providers, health plans and clearinghouses revealed weakness in the internal databases and compliance programs of many entities, particularly that of small group practices. Although most of the security rules generally seem to be geared toward covered entities, the guideline for privacy compliance also extends to business associates that provide services for physician practices and hospitals.

Differences Between Phase 1 & Phase 2

It seemed that the OCR’s Phase 1 audits were disappointing, as they revealed many findings or observations of noncompliance related to the Security Rule compliance. As stated before, Phase 1 focused mainly on HIPAA standards; however, Phase 2 will focus on key noncompliance areas and a more comprehensive approach to those areas that were identified in Phase 1. This is in an effort to avoid the potential for data breaches and security gaps that can expose patient information and have a financial impact on the healthcare industry.

In their Phase 2 audit program in 2016, for the first time, audits will include business associates. Under the omnibus rule, a business associate is defined as any person or entity that creates, receives, maintains or transmits protected health information (PHI) on behalf of a covered entity. Currently, business associates provide services to covered entities that include billing, claims processing, consulting, management administration, accreditation and financial services. Additionally, with the increased utilization of health data analytics, most entities are outsourcing the handling, process and analysis of this information through business associates, who are receiving more access to patient documents and files.

Off-Site vs. On-Site Audits

Every covered entity and business associate is eligible for an audit. The OCR will conduct primarily desk audits of selected organizations’ policies and procedures to meet selected standards and implementation specifications of HIPAA regulations, with a projection to be completed by December 2016. The main focus will be on areas that are of greater risk to the security of protected health information (PHI). Keep in mind the OCR indicates that some on-site audits will be conducted.