• No results found

Preparing for the Phase II HIPAA Audits

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Preparing for the Phase II HIPAA Audits"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)
(2)

Preparing for the Phase II HIPAA Audits

The Phase II HIPAA Audits are expected to start soon. This document is a primer on where we have been, where we are going, and what you can do now to prepare for a Phase II Audit.

I. Phase I Audits: Where have we been?

While the overall goal is to prepare for the HIPAA Phase II Audits, it is important to briefly look at the Phase I Audits. If nothing more than to know how the upcoming round will be different.

The Phase I HIPAA Audits were completed in 2011 and 2012. That round included only 115 organizations. It included health plans, healthcare clearinghouses, and providers. No business associates were included in Phase I. These audits were comprehensive; in that they covered the Security Rule, Privacy Rule, and Breach Notification Rule. They were

completed on site by a contractor of the Office of Civil Rights (“OCR”); the organization tasked with HIPAA enforcement.

Looking just at the providers that were audited in Phase I, there were a total of 61 organizations. Of those, 59 had at least one negative finding in the audits. Of all 115 organizations audited, OCR found that only 11% had no negative findings. In other words, widespread issues were found with all organizations audited. Providers had the most difficult time with compliance of all three types of covered entities, and of those, small providers had the most egregious issues.

For providers, the security rule was where most negative findings were identified. According to OCR, the most common cause of negative findings was because the entity was “unaware of the requirement.” However, OCR has continually held to the notion that ignorance of the requirements is not a defense. Therefore, organizations with negative findings were still cited, regardless of the fact that they were unaware of the requirements.

II. Phase II Audits: Where are we going?

According to the latest information from OCR, Phase II of the HIPAA Audits are set to begin this Fall. They will be conducted by OCR staff, rather than contractors, and are unlikely to be on site; therefore will be desk audits. The audits are projected to run through 2016, in several cycles. They will include a total of 350 Covered Entities and 50 Business Associates over the course of this Phase.

Copyright 2014 QI Partners, LLC 1

(3)

The first round of Audits is slated to start late this year and will only include Covered Entities. They will focus on four issues,

• Security Risk Analysis and Management; • Breach Notifications;

• Privacy Notices; and • Access Issues.

In early 2015, the audits will shift to Business Associates, and will focus on two issues, • Security Risk Analysis and Management; and

• Breach Reporting to Covered Entities.

Then, later in 2015, a different group of Covered Entities will be audited on four issues; • Device and Media Controls;

• Transmission Security; • Privacy Safeguards; and • Workforce Training.

Finally, the last cycle of the Phase II Audits will be at some point in 2016, and will focus on, • Encryption and Decryption;

• Facility Access Controls; and

• Other high risk areas yet to be determined.

These timelines can, and likely will, be delayed. In spring 2014, OCR expected to send surveys to Covered Entities, which would have been a potential indication of an upcoming audit. However, at this time, those surveys have not been sent. Therefore, it is likely the Audits will not start until sometime in 2015, with delays to the rest of the timeline as well. III. How to Prepare for Phase II Audits

A. Identify Business Associates: OCR is expected to ask every Covered Entity audited for a list of its Business Associates. This is anticipated to compile the list of Business

Associates from which some will be audited. Therefore, it is best to have this list available as soon as possible. There will not be a great deal of time for production of documents after requested, and this information can be scattered in organizations. The time to prepare this list is now.

Copyright 2014 QI Partners, LLC 2

(4)

B. Include Dates on all Documentation of Compliance Program: OCR is looking for a current, ongoing, and comprehensive HIPAA compliance program. Not a one-time project. Therefore, ensure all documentation of your HIPAA Compliance Program is dated as of the last time reviewed. Better yet, they should include multiple dates; thus indicating that they have been periodically reviewed.

C. Documentation Should Accurately Reflect the Compliance Program: Auditors will not contact organizations for clarification of documents after they have been submitted. Therefore, what is submitted must accurately and comprehensively demonstrate the completeness of an ongoing compliance program.

D. Only Submit What Is Requested: Leave the sink in the kitchen. Give OCR what they ask for, and little – if nothing – more. Extraneous information could confuse the reviewer, and lead to a more in depth compliance review.

E. Have a Current Risk Assessment: This is a fundamental requirement of the Security Rule, and is absolutely necessary for compliance .

F. Notice of Privacy Practices: A Notice of Privacy Practices must meet all requirements, be posted in waiting areas and online. Additionally, organization should have policies and procedure that outline documentation of receipt.

G. Policies and Procedures for Individual Access: Ensure they are in place and up to date. H. Incident Response Policies and Procedures: Ensure policies and procedure in response

to an incident are in place. Have members of an incident response team identified and ensure they understand their roles and responsibilities.

In closing, there is still a great deal of unknown factors, including the timing, surrounding the Phase II Audits. There will certainly be updates to come. We are monitoring the situation and will provide timely updates as the situation warrants.

Copyright 2014 QI Partners, LLC 3

HIPAA PHASE II AUDIT

Identify Business Associates SECURITY & PRIVACY PROGRAM READINESS Date all Documentation

Reflect the Program Accurately Only Submit What’s Requested

Notice of Privacy Practices Individual Access and Incident Response Policy and Procedures

(5)

About the Author:

Adam Bullian brings years of experience of regulatory compliance in Healthcare and HIPAA. He has assisted organizations in creating compliance programs, developing lobbying strategies, and workforce training programs. His commitment to healthcare issues has been apparent throughout his career; from being involved in the early state implementation efforts of the Affordable Care Act, to the founding of a non-affiliated political action committee. He holds a Bachelors Degree in History and Political Science from West Virginia University, and a Juris Doctorate Degree from the West Virginia University College of Law.

Adam J. Bullian, Esq.

1133 15th Street, NW, 12th Floor Washington, DC 20005

(202) 594-5761

abullian@qipsolutions.com

About QiP:

Based in the Washington D.C. Metro Area, with partners nationwide, and drawing from deep professional experience in healthcare information technology and security, risk management, audit, and legal practice, QiP Solutions provides clear, cost-effective, and comprehensive solutions to healthcare compliance challenges. For more information please visit our website at www.qipsolutions.com or email info@qipsolutions.com

Copyright 2014 QI Partners, LLC 4

References

Download now ( PDF - 5 Page - 755.58 KB )

Related documents

HIT Audit Workshop. Jeffrey W. Short.

• The HITECH Act requires HHS to conduct periodic audits to ensure HIPAA compliance by covered entities and business associates?. • The Office for Civil Rights (OCR) piloted a

Preparing for HIPAA and Meaningful Use Compliance Audits

The Audit Steps Pre-Audit Survey Notification and data request to selected entities Desk review and draft findings to entity Entity provides management review Final

HIPAA Summit. March 10, Phyllis A. Patrick, MBA, FACHE, CHC Phyllis A. Patrick & Associates LLC

The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C

Health Homes Implementation Series: NYeC Privacy and Security Toolkit. 16 February 2012

• HITECH act requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and

Healthcare to Go: Securing Mobile Healthcare Data

– Requires US Department of Health and Human Services (HHS) to perform periodic audits on covered entities and business associates for HIPAA Privacy, Security, and Breach

HIPAA Audits: Preparing for Phase 2 Audits for Covered Entities and Business Associates

• In 2011, OCR established a pilot audit program, developed an audit protocol and used the protocol to evaluate the HIPAA compliance efforts of 115 covered entities.. • OCR

HIPAA Privacy, Security and Breach Notification Audits

• This section of The American Recovery and Reinvestment Act of 2009, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group

Department of Health and Human Services requires the Office of Civil Rights (OCR) to audit covered entities and business associates compliance with HIPAA Privacy, Security and