Share this article on:
Phase 2 of the Department of Health and Human Services’ Office for Civil Rights HIPAA compliance audits are now well underway. Late last year, covered entities were selected for desk audits and the first round of audits have now been completed. Now OCR has moved on to auditing business associates of covered entities.
At HIMSS17, OCR’s Deven McGraw explained that the full compliance audits, which were initially penciled in for Q1, 2017, are to be delayed. This gives covered entities more time to prepare.
The phase 2 HIPAA compliance desk audits were more detailed than the first phase of audits conducted in 2011/2012. The desk audits covered a broad range of requirements of the HIPAA Privacy, Security, and Breach Notification Rules, although they only consisted of a documentation check to demonstrate compliance.
The onsite audits will be much more thorough and will look much deeper into organizations’ compliance programs. Not only will covered entities be required to show auditors documentation demonstrating compliance with HIPAA Rules, OCR will be looking for evidence of HIPAA in action.
To help with the audit preparation process, the American Health Information Management Association (AHIMA) has updated its HIPAA audit readiness toolkit. The toolkit can be used by covered entities to assess their compliance efforts and determine whether they have all the necessary documentation, policies, and procedures in place to meet all Health Insurance Portability and Accountability Act requirements.
The new toolkit details the legal process of the HIPAA compliance audit program, OCR processes, and now incorporates the updated HIPAA audit protocol used by OCR in the second phase of the compliance audits.
The new toolkit contains HIPAA compliance checklists covering policies, procedures, and documentation that is likely to be requested by Office for Civil Rights auditors, together with a master policy template for the privacy and security rule compliance program.
AHIMA has also included tips and best practices that can be adopted by HIPAA-covered entities and their business associates to help them meet all of their responsibilities along with an HIPAA audit preparation guide.
AHIMA members can access the HIPAA audit readiness toolkit free of charge in the HIM Body of Knowledge section of the AHIMA website or through its web store.
The onsite audits may have been delayed, but covered entities should ensure they are ready for an audit. Even if the audits slip into 2018 as hinted by McGraw, OCR still investigates all breaches of more than 500 records. In the event of a data breach, OCR will require evidence of compliance with HIPAA Rules and heavy fines await organizations found not to have complied with the HIPAA Privacy, Security and Breach Notification Rules.