HIPAA Audits Update – Second phase of Audits

Audit 2 Let’s phase it, the audits are not going away and we better be prepared for them.  Based on that fact alone it should be no surprise to anyone that the Office for Civil Rights (OCR) is now launching its second phase of HIPAA audits.  While the compliance requirements have not necessarily changed there are some changes in this phase that merit mentioning. I have looked at the guidance, the current regulations and the presentations from the OCR representatives and have come with at least three things to keep in mind:

  1.  Response time is now ten days versus a month in previous cases;
  2. Business Associates will be audited;
  3. The protocol for the audit has more than 180 questions.

“[OCR will] be looking at risk analyses and risk management, notices of privacy practices and access and response to requests for access, and content timeliness of notifications,” OCR Director Jocelyn Samuels said at the 24th National HIPAA Summit in the District of Columbia. Based on the above we recommend the following actions:

  1. Complete a Risk Analysis
  2. Complete a Risk Management Plan
  3. Update you Notice of Privacy Practices
  4. Update your list of Business Associates
  5. Review your policies and procedures

Ideally we would recommend becoming familiar with the OCR audit protocols.  On the other hand we recognize that the protocol, with over 180 areas of inquiry, may be a little intimidating so at the very least start with the above list and then make your way into the audit protocols. Also, make sure you have an updated Business Associate agreement and get some written assurances to make sure your Business Associates is in compliance with the rules and the agreement.