For the last 24 months, we’ve heard in the blogosphere – HIPAA AUDITS ARE IMMINENT! Well, it appears we are one step closer to the promised Phase 2 audits required under the HITECH Act. (You can learn about the Phase 1 Audits here). HHS has just released their Phase 2 Pre-Audit Survey. You can see it here
So what does this mean?
This means The Office of Civil Rights (OCR) is prepared begin the Phase 2 Pre-Audit surveys any day now. The Phase 2 program is focusing on what OCR considers areas of greater risks. Investigators will be looking at how companies and practices are securing Protected Health Information (PHI).
How is OCR doing these audits?
Right now, all we know is they will send out these pre-audit surveys to an expanded group of Covered Entities and will be including Business Associates. If you receive one of these surveys, you will be required to respond within 2 weeks, but there won’t be any contact from auditors from OCR. These are going to be “Desk Audits”. This means you will be required to send in copies of you HIPAA Compliance plan to OCR for review. OCR is planning on making Desk Audits a big part of their enforcement plan. If you don’t respond or are found to be lacking, a referral could be sent to your OCR Regional Office for a full compliance review.
How long are these audits going to be running?
The timeline for Phase 2 Audits, once they get started, is roughly 2-3 years. The exact date and the selection process has been classified as ‘random selection’ but, officially, The Office of Management and Business website says that 500 covered entities and 200 business associates will receive the survey.
Is OCR Really Coming For Me?
We all know that the chances you will receive one of these audits is pretty slim, but we talk about this all the time. We aren’t advocating you implement HIPAA Compliance in order to protect yourself from legal action., Implementing HIPAA is about best business practices. Protect your clients and patients, and by doing so, protect your business!
On to the 5 steps you can take to protect yourself today!
- Perform a Risk Analysis: This isn’t an optional item for HIPAA Compliance, nor should it be for your business. You owe it to your clients/patients to evaluate your security holes, and address them!
- Complete Privacy and Security Policies and Procedures: You are required to document how you protect information for HIPAA Compliance. How is your work force or OCR supposed to know how you protect PHI if you haven’t documented these policies?
- Identify Business Associates: With whom are you sharing your clients’/patients’ information? You are required to have Business Associate Agreements in place for any 3rd parties that handle information on behalf of your company/practice. Identify them and ask to review their HIPAA Compliance Plan before you sign off on those agreements. Read more here on how to audit your Business Associates here.
- Encrypt Everything: Yep, I said everything. Computers, tablets, mobile devices, backups, SD Cards, Emails, flash drives… this list goes on and on. You will have a detailed list of electronic devices after you do your Risk Analysis.
- Train all your Employees: There are 2 parts to this training. Your employees need to understand the basics of the HIPAA law, what they can and cannot say, and they need to know what are your specific Policies and Procedures. You can have the worlds greatest HIPAA Compliance plan, but it’s all for naught if you don’t share that with your employees!
We cannot control if/or when an OCR audit may hit your company or practice. I cannot stress this enough, you have a responsibility to protect your clients and patients by taking HIPAA Compliance seriously NOW! Which scares you more, a random HHS audit, or having to contact your clients or patients to inform them you responsible for losing their information? The second scenario is a more tangible fear in my book. Would you continue to work with a company or practice that lost your Protected Health Information?