<div dir="ltr"><a href="http://www.databreachtoday.com/interviews/how-to-prepare-for-phase-two-hipaa-compliance-audits-i-3137">http://www.databreachtoday.com/interviews/how-to-prepare-for-phase-two-hipaa-compliance-audits-i-3137</a><br><br><div class="" name="interview-text" id="interview-text">
<p>Now that the <a href="http://www.healthcareinfosecurity.com/this-years-hipaa-audits-interim-step-a-8985">Department of Health and Human Services</a> has announced that it will soon begin the next round of <a href="http://www.healthcareinfosecurity.com/hipaa-hitech-c-282">HIPAA</a>
compliance audits, organizations need to take specific steps to prepare
in case they're chosen for scrutiny, says attorney Robert Belfort, a
regulatory specialist.</p>
<p>"Preparation has hopefully been going on for a while," Belfort notes,
because HHS' Office for Civil Rights has been signaling for the last
two years that it plans to resume the audits. "But, at this point, there
are a few different steps that organizations can and should be taking,"
he says in an interview with Information Security Media Group.</p>
<p>For example, covered entities and business associates should conduct
an internal gap analysis of their HIPAA compliance programs. Any such
analysis should include "a crosswalk between an organization's existing
policies, practices and procedures ... and the HIPAA requirements," he
says.</p>
<p>"If there are gaps, such as no policies in certain areas, or a
[security] risk analysis hasn't been done recently, then efforts can be
made to fill those gaps hopefully before any audit commences."</p>
<p>Another critical step, Belfort says, is to clearly designate who
should take the lead role in responding to an audit inquiry. "There
should be one point person who is designated with authority to interface
with OCR," he says. "That person should have access to other staff in
the organization who may be necessary to respond to the audit requests.
You don't want to be scrambling to figure out what your organizational
model is for handling the audit on the day when the request comes in,
because OCR has suggested there will be a relatively short turnaround
time for producing documents."</p>
<h3>Desk Audits</h3>
<p>On March 21, OCR announced that phase two of the audits will launch
soon, focusing on about 200 remote "desk audits" of covered entities and
business associates, to be completed by the end of December, followed
by a handful of onsite audits later.</p>
<p><a href="http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html#when" target="_blank">HHS</a>
says the phase two audits "are primarily a compliance improvement
activity ... to help OCR better understand compliance efforts with
particular aspects of the HIPAA Rules." However, the agency adds that a
poor audit could result in additional scrutiny. "Should an audit report
indicate a serious compliance issue, OCR may initiate a compliance
review to further investigate," the office warns.</p>
<p>Belfort says that if OCR finds, for example, "that an organization never did a <a href="http://www.healthcareinfosecurity.com/risk-assessment-c-44">risk analysis</a>, I don't think it will view that solely as an <a href="http://www.healthcareinfosecurity.com/awareness-training-c-27">educational</a>
opportunity. ... If organizations have clearly ignored certain
requirements - they haven't done a risk analysis, never issued privacy
notices to patients, have no policies in place to handle patient
requests for records - I think those clear violations will be what tends
to push things over to the enforcement side." </p>
<p>In the interview (see audio link below photo), Belfort also discusses:</p>
<ul><li>Why the compliance audits could result in OCR resolution agreements
and settlements containing financial penalties for some auditees;</li><li>The differences between what OCR will likely inspect during remote "desk" audits versus more comprehensive onsite audits;</li><li>The likelihood of OCR launching a permanent HIPAA compliance audit program.</li></ul>
<p>Belfort, a partner in the healthcare practice of Manatt, Phelps &
Phillips LLP, has more than 20 years of experience representing
healthcare organizations on regulatory compliance and transactional
matters. He advises hospitals, health insurers and medical groups on
issues involving HIPAA, <a href="http://www.healthcareinfosecurity.com/privacy-c-151">privacy</a>, <a href="http://www.healthcareinfosecurity.com/fraud-c-148">fraud</a> and abuse, managed care and accountable care.</p>
</div><br></div>