Health Information Management

Ready or not, Phase 2 audits are here

Briefings on HIPAA, May 1, 2016

This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.

HIPAA audits

Ready or not, Phase 2 audits are here

OCR's long-awaited Phase 2 HIPAA Audit Program is finally in full swing. On March 21, OCR announced that it will begin verifying the contact information of covered entities (CE) and business associates (BA) selected for audits ( This shouldn't surprise savvy healthcare organizations. The audits kicked off after a flurry of activity from OCR and HHS, including pricey HIPAA settlement fines and the publication of user-friendly HIPAA guidance for providers, developers, and patients.

One of the biggest questions is whether CEs and BAs are ready. Will auditors find HIPAA compliance is a breeze for most? Or will many organizations discover they're missing the mark?

Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP, manager of Wipfli, LLP, in Eau Claire, Wisconsin, thinks a number of CEs and BAs will be in for a shock when they read their audit reports. Some aren't meeting basic HIPAA requirements, he says, and the more the more auditors look, the more problems they might find. "The question of whether OCR will really know just how bad the problem is will depend on how deep they look," he says.

Some organizations may hit a bump when auditors look at their HIPAA policies and procedures. Hirsch says that although most large CEs have these in place, some may not have updated them in years?it's possible they won't reflect the changes made by HITECH and the HIPAA final rule.

Risk assessments and analyses are likely to be another area where CEs and BAs fall short, Phyllis A. Patrick, MBA, FACHE, CHC, CISM, president of Phyllis A. Patrick and Associates, LLC, in Southport, North Carolina, says. A number of OCR's recent enforcement actions included high fines that the agency said were a direct result of insufficient or nonexistent risk analyses and assessments.

Reece Hirsch, Esq., a partner at Morgan Lewis in San Francisco, agrees. "Based on the findings of the Phase 1 audits, it's clear that HIPAA Security Rule compliance, and particularly security risk assessment, are problem areas."

This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular