OCR Begins Phase 2 Audit Program of Covered Entities and Business Associates
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced that it has begun Phase 2 of its HIPAA audit program. This audit phase will impact covered entities and their business associates.
The purpose of the Phase 2 audit program is to allow OCR to review the policies and procedures of covered entities and business associates to meet selected standards and implementation specifications of the HIPAA privacy, security, and breach notification rules (HIPAA Rules). OCR has indicated that it will utilize the Phase 2 audit findings to identify technical assistance it should develop for covered entities and business associates. To the extent an audit reveals a serious compliance issue, OCR may conduct a compliance review that could lead to civil monetary penalties.
The Audit Process
OCR is randomly contacting covered entities and business associates that represent a wide range of healthcare providers, health plans, healthcare clearinghouses and business associates to obtain information. Once OCR obtains contact information for covered entities, it will require completion of a questionnaire that asks about the covered entity’s operations and arrangements with business associates. Communications from OCR will be sent via email.
Auditees will be chosen through random sampling of the audit pool for participation in either a desk or an onsite audit. In terms of timing, covered entities who are selected for a desk audit must submit requested information within 10 business days of the information request. All documents are to be submitted digitally through the OCR's online portal. Auditees will be provided with draft findings and will have 10 business days to review and return such findings with comments. The auditor will then prepare a report within 30 business days of receiving comments.
Onsite audits, which will be more comprehensive than desk audits, will be conducted over a three to five day period at the auditee’s location. Like with desk audits, auditees will be provided with draft findings and will have 10 business days to review and return them with comments. The auditor will then prepare a report within 30 business days of receiving comments.
Now is the Time to Prepare and Assess Risks
Covered entities and business associates should take the appropriate steps to prepare for the possibility of a Phase 2 audit. It's not just a smart legal and business practice to evaluate whether your organization is safeguarding protected information, it's required by HIPAA.
In order to fulfill these requirements, all entities subject to HIPAA's Security Rule must run a risk assessment. Additionally, covered entities and business associates should review their HIPAA privacy policies and procedures to ensure that they are up-to-date with recent legal changes. Finally, covered entities and business associates should monitor their operations for purposes of HIPAA compliance.
For help completing your risk assessment, drafting policies based on your assessment and/or preparing for a Phase 2 audit, please contact Mindi M. Johnson.
With a business-minded approach, and service-oriented delivery, Mindi helps clients navigate challenges and solve problems in the areas of employee benefits law and health care law. Mindi has spoken and written extensively on employee benefits, health care reform, and health care law topics, and is actively involved in a number of legal, professional and industry organizations focused on these issues.View All Posts by Author ›
- Health Insurance Exchange
- Labor Relations
- Affordable Care Act
- Fraud & Abuse
- News & Events
- Department of Labor
- Health Care Reform
- Employee Benefits
- HITECH Act
- Did you Know?
- Electronic Health Records
- 6th Circuit Court of Appeals
- Accountable Care Organizations
- Digital Assets
Best Lawyers® 2020
Congratulations to the attorneys of the Health Care practice group at Foster Swift Collins & Smith, PC for their inclusion in the Best Lawyers in America 2020 edition. Firm-wide, 42 lawyers were listed. Best Lawyers lists are compiled based on an exhaustive peer-review evaluation and as lawyers are not required or allowed to pay a fee to be listed; inclusion in Best Lawyers is considered a singular honor. Health Care practice group members listed in Best Lawyers are as follows:
- Gilbert M. Frimet, Southfield
- Richard C. Kraus, Lansing
- Gary J. McRay, Lansing
- Jack A. Siebers, Grand Rapids/Holland
- Jennifer B. Van Regenmorter, Holland
To see the full list of Foster Swift attorneys listed in Best Lawyers 2020, click here.