Health Information Management

Phase 2 audit protocol

Briefings on HIPAA, July 1, 2016

This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.

HIPAA audits

Phase 2 audit protocol

As Phase 2 of the HIPAA audit program begins, covered entities (CE) and business associates (BA) will be watching their email for an audit letter from OCR. Of those chosen for audit, most will be selected for a desk audit. They'll have 10 days after receipt of the email to gather requested documents for OCR's auditors.

But how will CEs and BAs know they are collecting the right information? A careful reading of the updated Phase 2 audit protocol (www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html) will help guide CEs and BAs. But if the protocol isn't read carefully, and in full, important documents could easily be left out, leading to inaccurate audit reports and even a visit from OCR's investigators.

The Phase 2 audit protocol expands the Phase 1 compliance areas to reflect changes made by the 2013 HIPAA omnibus final rule. The updated audit protocol also includes information for BAs, which were not audited during Phase 1 but will be in the current round of audits. The protocol contains a description of the audit areas, general instructions and definitions, and a keyword-searchable table.

Phase 2 audits will be conducted in three rounds. The first two rounds will consist of desk audits of specific audit targets, while the third round will be comprehensive audits. Round one audits will target CEs and round two audits will target BAs.

Round one CE audit targets will target:

  • Security: risk analysis and risk management
  • Breach: content and timeliness of notifications
  • Privacy: notice and access

 

The round two BA audits will target:

  • Security: risk analysis and risk management
  • Breach: breach reporting to covered entities

This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular