[BreachExchange] How to Prepare for 'Phase Two' HIPAA Compliance Audits

Inga Goddijn inga at riskbasedsecurity.com
Tue Mar 29 09:35:59 EDT 2016 

http://www.databreachtoday.com/interviews/how-to-prepare-for-phase-two-hipaa-compliance-audits-i-3137

Now that the Department of Health and Human Services
<http://www.healthcareinfosecurity.com/this-years-hipaa-audits-interim-step-a-8985>
has announced that it will soon begin the next round of HIPAA
<http://www.healthcareinfosecurity.com/hipaa-hitech-c-282> compliance
audits, organizations need to take specific steps to prepare in case
they're chosen for scrutiny, says attorney Robert Belfort, a regulatory
specialist.

"Preparation has hopefully been going on for a while," Belfort notes,
because HHS' Office for Civil Rights has been signaling for the last two
years that it plans to resume the audits. "But, at this point, there are a
few different steps that organizations can and should be taking," he says
in an interview with Information Security Media Group.

For example, covered entities and business associates should conduct an
internal gap analysis of their HIPAA compliance programs. Any such analysis
should include "a crosswalk between an organization's existing policies,
practices and procedures ... and the HIPAA requirements," he says.

"If there are gaps, such as no policies in certain areas, or a [security]
risk analysis hasn't been done recently, then efforts can be made to fill
those gaps hopefully before any audit commences."

Another critical step, Belfort says, is to clearly designate who should
take the lead role in responding to an audit inquiry. "There should be one
point person who is designated with authority to interface with OCR," he
says. "That person should have access to other staff in the organization
who may be necessary to respond to the audit requests. You don't want to be
scrambling to figure out what your organizational model is for handling the
audit on the day when the request comes in, because OCR has suggested there
will be a relatively short turnaround time for producing documents."
Desk Audits

On March 21, OCR announced that phase two of the audits will launch soon,
focusing on about 200 remote "desk audits" of covered entities and business
associates, to be completed by the end of December, followed by a handful
of onsite audits later.

HHS
<http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html#when>
says the phase two audits "are primarily a compliance improvement activity
... to help OCR better understand compliance efforts with particular
aspects of the HIPAA Rules." However, the agency adds that a poor audit
could result in additional scrutiny. "Should an audit report indicate a
serious compliance issue, OCR may initiate a compliance review to further
investigate," the office warns.

Belfort says that if OCR finds, for example, "that an organization never
did a risk analysis
<http://www.healthcareinfosecurity.com/risk-assessment-c-44>, I don't think
it will view that solely as an educational
<http://www.healthcareinfosecurity.com/awareness-training-c-27>
opportunity. ... If organizations have clearly ignored certain requirements
- they haven't done a risk analysis, never issued privacy notices to
patients, have no policies in place to handle patient requests for records
- I think those clear violations will be what tends to push things over to
the enforcement side."

In the interview (see audio link below photo), Belfort also discusses:

   - Why the compliance audits could result in OCR resolution agreements
   and settlements containing financial penalties for some auditees;
   - The differences between what OCR will likely inspect during remote
   "desk" audits versus more comprehensive onsite audits;
   - The likelihood of OCR launching a permanent HIPAA compliance audit
   program.

Belfort, a partner in the healthcare practice of Manatt, Phelps & Phillips
LLP, has more than 20 years of experience representing healthcare
organizations on regulatory compliance and transactional matters. He
advises hospitals, health insurers and medical groups on issues involving
HIPAA, privacy <http://www.healthcareinfosecurity.com/privacy-c-151>, fraud
<http://www.healthcareinfosecurity.com/fraud-c-148> and abuse, managed care
and accountable care.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160329/922fda37/attachment.html>

More information about the BreachExchange mailing list