Healthcare News & Insights

Is your hospital ready for the next round of HIPAA audits?

HIPAA audits are starting up again soon, but the changes in phase 2 of the program could shake up healthcare facilities that aren’t prepared.

479051631Over the last year, several big-ticket settlements from protected health information (PHI) breaches at healthcare organizations have sent a clear message to other providers — PHI security should always be a top priority at your facility or it could cost you.

The hefty monetary penalties for HIPAA violations show the level of enforcement the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is willing to go to for the sake of widespread compliance from providers.

The next phase of the OCR’s HIPAA enforcement will come in October when it’ll begin conducting phase 2 HIPAA audits on covered entities. And based on the data gathered during phase 1 of the audit program, OCR will be adjusting several key parts for October, according the lawfirm McDermott, Will & Emery.

Phase 1 findings

The first phase of audits reviewed over 100 covered entities (CEs) for compliance with all HIPAA standards. The audits revealed important information about PHI security:

  • Nearly all of the healthcare providers audited had at least one security standard violation
  • A large portion also lacked sufficient understanding of the HIPAA privacy standard, and
  • Only 10% of the audit findings were related to the Breach Notification Standard violations.

Planning for phase 2

As a result of these findings, phase 2 audits will be narrower. Rather than audit facilities for compliance with all HIPAA standards, the OCR is focusing on areas of operations with greater risk for vulnerabilities. The first round of phase 2 audits begin in October and run until June 2015.

So who will be audited this time around?

The OCR is randomly picking between 550 to 800 CEs and sending them a pre-audit survey. Then the agency will select CEs to be audited by their responses on details like size measures, location, common services and contact information.

It’s not just the CEs who are on the hook for compliance, though. The OCR will also be reviewing business associates with access to CEs’ PHI for compliance.

One of the biggest differences of phase 2 is that audits will be conducted with an updated protocol. Rather than perform on-site audits, phase 2 will be a more remote process. The OCR will inform a CE of what data, files and documentation it needs, then providers have two weeks to provide the information or face stricter compliance reviews.

Some of the areas the OCR is planning to scrutinize are:

  • risk analysis and risk management
  • compliance with the Privacy Standards’ reasonable safeguards requirement
  • device and media controls, and
  • training on security policies and procedures.

Business associates will be reviewed for proper risk analysis and risk management, and for timely breach reporting to CEs.

As you can probably tell, the OCR is largely looking for a certain level of preventive action.

That means, in addition to some other steps the lawyers point out, facilities can prepare by:

  • finding out when the last comprehensive risk assessment was conducted for your entire facility
  • addressing any vulnerable areas revealed from recent assessments
  • having a complete list of business associates in the event of a phase 2 audit
  • confirming that staff members have been thoroughly trained on PHI security, and related policies and procedures, and
  • ensuring that electronic devices and software that carry or transmit PHI use encryption technology.

You’ll also want to keep a written record of your security steps to help show your commitment to preventing breaches.

The good news about the phase 2 audits is that the HHS will use the audits to create a list of best practices other healthcare providers can utilize.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.