Month: April 2016

The HIPAA Audit Program and you

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun it’s next phase of audits to confirm that organizations are in line with HIPAA protocol. The 2016 Phase 2 HIPAA Audit Program is looking to strengthen it’s Health Insurance Portability and Accountability Act (HIPAA) enforcement efforts by being more proactive.

For 2016’s Fiscal Year, the budget for OCR’s office increased by $4 million over the year before in anticipation of these audits. They will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards (laid out in Phase 1) and implementation specifications of the Privacy, Security, and Breach Notification Rules.

These audits were mandated by the HITECH Act to conduct periodic random audits to assess entity compliance with HIPAA. These will primarily be desk audits, but some on-site audits can occur. This could be anything from a drop in one-hour audit to a multi-day operational audit.

Let’s look back:

Before phase 2 (the audits) began, they started with phase 1:

“HIPAA established important national standards for the privacy and security of protected health information and the Health Information Technology for Economic and Clinical Health Act (HITECH) established breach notification requirements to provide greater transparency for individuals whose information may be at risk. HITECH requires the HHS Office for Civil Rights (OCR) to conduct periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. In 2011 and 2012, OCR implemented a pilot audit program to assess the controls and processes implemented by 115 covered entities to comply with HIPAA’s requirements.  OCR also conducted an extensive evaluation of the effectiveness of the pilot program.  Drawing on that experience and the results of the evaluation, OCR is implementing phase two of the program, which will audit both covered entities and business associates. As part of this program, OCR is developing enhanced protocols (sets of instructions) to be used in the next round of audits and pursuing a new strategy to test the efficacy of desk audits in evaluating the compliance efforts of the HIPAA regulated industry. Feedback regarding the protocol can be submitted to OCR at OSOCRAudit@hhs.gov.” – HHS.gov Read More The HIPAA Audit Program and you