• E-mail
• Print
• RSS

Conducting a phase two audit self-review

Briefings on HIPAA, October 1, 2016

This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.

Conducting a self-review based on the audit protocols can help BAs prepare for desk audits; it can also help BAs and CEs get ready for the more exhaustive on-site audits. And as OCR steps up investigations of breaches large and small—while cyberthreats continue to mount—the audit protocols offer a blueprint that can help an organization identify and address risks.

The phase two audit protocols were built on the phase one protocols and updated to include changes made by the 2013 HIPAA omnibus final rule. (For more information on the phase two audit protocols, see the July issue of BOH.) The updates also include information specifically for BAs. But the protocols are useful beyond simply checking boxes for audited organizations: Any CE or BA can use them to evaluate compliance.

"Every affected organization should be routinely conducting reviews of its regulatory compliance," says Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts. "Not only is this a good business practice, but it is explicitly required in the HIPAA Security Rule evaluation standard."

Some organizations may have put off these evaluations to deal with other compliance or business concerns, but privacy and security officers might see the tide finally turn in their favor. OCR's increased activity, as well as the rise in frequency and cost of data breaches, may put HIPAA compliance back in the spotlight. Privacy and security officers should revitalize efforts to conduct the gap analyses and mock audits CEs and BAs may have postponed, advises Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona.

"Now may be a good time to bring a review of the audit protocol, which essentially helps provide an overall indication of one's state of compliance with many of the key areas within the HIPAA privacy, security, and breach regulations, from the drawing board to the to-do list," he says.

This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.

• E-mail to a Colleague
• Print
• RSS
• Archive