[BreachExchange] Here’s how to prepare your practice for Phase 2 HIPAA audits

[Audrey McNeil]

https://www.chiroeco.com/phase-2-hipaa-audits/

Almost two years have passed since the U.S. Department of Health and Human
Services’ (HHS) Office for Civil Rights (OCR) announced that Phase 2 HIPAA
audits would happen.

For those who have been selected as part of the audit process, the wait is
almost over. This article sets out to explain the purpose of the Phase 2
audits, how they differ to the Phase 1 (pilot) audits, and outline some of
the key steps organizations should take to prepare.

Meet Phase 2

Unlike the Phase 1 audits, which focused solely on covered entities and
were completed in 2011 and 2012, the Phase 2 audits will also assess the
business associates of those covered entities. HIPAA defines a business
associate as “a person or entity that performs certain functions or
activities that involve the use or disclosure of protected health
information on behalf of, or provides services to, a covered entity.” This
includes, but is not limited to, accountants, health plan providers, and
medical supply companies.

Furthermore, the Phase 2 audits will focus largely on the high-risk problem
areas identified in the Phase 1 audits, which include the following:

Risk analysis and risk management
Content and timelines of breach notifications
Notice of privacy practices
Individual access
Reasonable and appropriate privacy safeguards requirements
Training on HIPAA policies and breach notification procedures
Device and media controls
Transmission security
Preparing for an audit

Here are five things you can do to prepare if you are one of the 224
covered entities selected as part of the Phase 2 audits.

1. Compile details of your HIPAA compliance program

It is essential that your organization maintain and operate a comprehensive
HIPAA compliance program that addresses the HIPAA privacy, security, and
breach notification rules. HIPAA compliance should not be a one-time
project, and therefore OCR will be looking for evidence of an ongoing HIPAA
compliance program, including proof that policies are reviewed
periodically, in the way of dated documentation.

2. Provide proof of current risk

Ensure that your organization undertakes a thorough security risk
assessment, which HHS requires, and that a risk management plan exists,
including details of any security deficiencies that are ranked in order of
priority. Pay special attention to your handling of electronic protected
health information (e-PHI).

This kind of risk management and analysis should be an ongoing process. HHS
recommends that a covered organization regularly “reviews its records to
track access to e-PHI and detect security incidents, periodically evaluates
the effectiveness of security measures put in place, and regularly
reevaluates potential risks to e-PHI.”

If you need help conducting a risk assessment, The Office of the National
Coordinator for Health Information Technology (ONC), in collaboration with
the OCR and the HHS Office of the General Counsel (OGC) have developed a
tool to help guide you through the process. This can be found at
healthit.gov/providers-professionals/ security-risk-assessment-tool.

3. Make a list of business

It is expected that OCR will request a list of all business associates, and
their corresponding signed agreement. So, you should have this information,
as well as the services they provide, and their contact information,
documented in advance.

4. Staff training and responsibilities

HIPAA compliance starts with people.

Your organization should operate and document a robust training policy that
sets out to educate all members of staff on the HIPAA security and privacy
rules, as well as the procedures they should follow in event of a potential
data breach.

In addition to having staff trained, you should appoint someone within the
organization whose responsibility is to collect all necessary documentation
and act as the primary point of contact for OCR. Entities selected for
auditing will have two weeks to respond to OCR’s request, so it is crucial
that the response lands on the right person’s desk and is acted upon
immediately.

5. Documentation is key

Because the Phase 2 audits will primarily be desk audits that focus on
documents, there will be no room for verbal clarification. This makes the
need for proper documentation particularly important. Once documents are
submitted to OCR, there is no going back. Anything that is put forward must
comprehensively demonstrate your organization’s commitment to HIPAA
compliance as per the audit requirements.

Conversely, you should avoid oversharing any documentation that hasn’t
specifically been requested.

Any issues identified within extraneous documentation will be noted and
acted upon. And providing more information than requested by the auditors
could put your practice under unnecessary scrutiny.

The risks of noncompliance

The implications of failing an audit are one thing, but the real-world
issues associated with noncompliance can be far more significant. A data
breach can result in civil penalties, which are enforced by OCR and vary
from $100 to $1.5 million, as well as criminal penalties, which are
enforced by the U.S. Department of Justice and can in severe cases lead to
imprisonment.

There are also reputational consequences to consider; how might a data
breach at your organization affect business if it went public? These are
worrying thoughts, and stark reminders of just how crucial it is to ensure
your organization is HIPAA compliant.

Security first

Findings from the Phase 1 audits pointed to the HIPAA Security Rule as the
biggest problem area, and in most cases this was due to the entity being
unaware of the requirements surrounding this rule.

The bottom line is that ignorance is not a viable defense. In order to
ensure a successful audit, and ultimately minimize your risk of a data
breach within your practice, ensure that you and your staff have a solid
understanding of the HIPAA rules.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171024/c569f84c/attachment.html>