Physician Practice

HIPAA Phase 2 audits to focus on industry security deficiencies found in previous audits

Physician Practice Insider, September 8, 2015

Ready or not, Phase 2 of OCR's HIPAA audit program is nearly ready to begin, and healthcare organizations and their business associates (BA) should be prepared to open their books to federal regulators.

As many as 700 covered entities (CE) may receive a pre-audit survey from OCR, assessing each organization's suitability for an audit, but only 150 CEs and 50 BAs will actually be chosen for an official review—that's half the number of audits the federal agency initially planned to conduct in Phase 2. This smaller number is likely reflective of OCR realizing the enormity of the task, considering the agency has limited staffing and will not have the help of an outside firm, says Reece Hirsch, Esq., a healthcare regulatory attorney at Morgan Lewis in San Francisco and a Briefings on HIPAA (BOH) editorial advisory board member.

The audit program is mandated by the HITECH Act. Its intent is to allow OCR to periodically analyze processes, controls, and policies related to the HIPAA Privacy, Security, and Breach Notification Rules, and then use those results as an educational tool. It's not intended to be about enforcement, says Mac McMillan, FHIMSS, CISSM, CEO of CynergisTek, Inc., in Austin, Texas, and a BOH editorial advisory board member. If the audit is "really bad," however, and reveals serious compliance problems for a CE or BA that auditors believe are due to negligence, says McMillan, it's reasonable to surmise that the auditors would request a separate investigation by OCR's enforcement division.

Another point to bear in mind, he says, is that the audit report will go on file with the OCR. If the audit reveals areas of noncompliance—say, in regard to encrypting mobile devices—and an organization promises to address these issues, but then experiences a data breach two years later because it didn't encrypt all its devices and disregarded auditors' recommendations, OCR now has documented proof of neglect.

"At some point in the future, OCR will be able to say, 'Hey, you've had the same problem five times now, what's going on?' " says McMillan.

The first phase of HIPAA audits, which was limited to 115 CEs, took place in 2011 and 2012, setting the stage for the Phase 2 desk audits and helping OCR narrow its audit focus. This means OCR will not conduct on-site audits of CEs and BAs in Phase 2 unless resources are available. However, in recent days, agency officials have given indications there will be some site visits in this phase, say McMillan and Hirsch.

This article was excerpted from the September issue of Briefings on HIPAA. Click here to read more.

Most Popular