About the HIPAA Privacy, Security, and Breach Notification Audit Program
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates. This is part of their ongoing efforts to assess compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy regulations which require the protection and confidential handling of protected health information.
Covered entities are defined in the HIPAA rules as “(1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards”.
The 2016 Phase 2 HIPAA Audit Program will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. 200 covered entities will be audited by December 31, 2016 and were randomly selected by OCR. Some on-site audits will be performed, but most audits will be desk audits.
Audits are an important compliance tool that enables OCR to identify best practices and detect and address risks and vulnerabilities to protected health information (PHI). The information gained from the audits will help OCR develop tools and technical assistance to prevent breaches and to build a permanent HIPAA audit program.
OCR is committed to transparency about the process and will post updated audit protocols on its website. You can find it here:
How Your Organization Can Prepare
Most healthcare organizations are pretty confident about the Phase 2 HIPAA Audits, while some will be concerned, depending on their current measures to safeguarding protected health information. Protecting health information is a two-step approach that requires understanding the risks and knowing how to effectively manage them. Healthcare organizations should always know what happens in their electronic health records and systems.
But it’s not only about health IT. It’s also about staff education, business operations, and the quality of patient care.
The good news is that the OCR is committed to full transparency about how the audits work and about the results obtained. The OCR phase 2 audits will help in getting valuable insight about the present state of HIPAA compliance in the healthcare industry. Room for improvement will be made visible and gaps will be identified. Eventually, this might be a good chance for simplified HIPAA compliance and improved healthcare.
Primeau Consulting Group can assist your organization in preparing for the desk audits and reduce risks associated with HIPAA investigations and security breaches. Our experts designed its Privacy&Security Solutions Toolkit as a simple and affordable monthly subscription service that provides:
- Access to a Virtual Privacy and/or Security Officer
- A complete Privacy and Security Risk Analysis
- Implementation of organization-wide Privacy & Security Management Program
- Tracking and evaluation of wrongful disclosures and potential Privacy-Security violations
- Awareness, education and training of staff on PHI protection
Contact us to hear about how our Privacy&Security Solutions Toolkit can help you meet the PHI challenge: https://www.primeauconsultinggroup.com/privacysecurity-solutions-toolkit.html