HIPAA Phase 2 audit protocols released
Physician Practice Insider, April 19, 2016
The Office for Civil Rights (OCR) released updated audit protocols and other audit documents for Phase 2 of its HIPAA audit program. The updated protocol contains a description of the audit areas, general instructions and definitions, and a keyword searchable table.
The audit protocol covers Privacy Rule, Security Rule, and Breach Notification Rule requirements. Privacy Rule requirements are further broken down into specific targets:
- Notice of privacy practice for protected health information (PHI)
- Rights to request privacy protection for PHI
- Access of individuals to PHI
- Administrative requirements
- Uses and disclosures of PHI
- Amendment of PHI
- Accounting of disclosures
The Phase 2 audit protocol expands the compliance areas to reflect changes made by the 2013 HIPAA Omnibus Final Rule. The updated audit protocol also includes information for business associates (BA). BAs were not audited during Phase 1, but will be included in the current round of audits.
The table maps audit areas to sections of the legislation, key activities OCR expects covered entities (CE) and BAs to take, performance criteria, and audit inquiry. The table goes into a high level of detail and lists more than 100 audit areas.
Although the audit protocol has been published and are not likely to be revised before the audit requests are sent, OCR is accepting feedback.
Along with the updated Phase 2 audit protocol, OCR also published the pre-screening questionnaire it will send to CEs and BAs selected for audits. The questionnaire begins with four basic questions that apply to all entities and is then divided into sections for healthcare providers, BAs, healthcare clearinghouses, and health plans.
In addition to the pre-screen questionnaire, CEs will be asked to submit a list of their BAs. OCR published a sample BA listing template CEs can use to complete this requirement. The sample template has 27- items and reports information such as the service a BA provides, contact information for up to two individuals at the listed BA, and the BA’s website.
OCR announced it would begin verifying the contact information of CEs and BAs selected for Phase 2 audits March 21.
This article was originally published in the Revenue Cycle Daily Advisor.
Related Products
Most Popular
- Articles
-
- Math can be tricky: TJC corrects ABHR storage requirement
- Air control equals infection control
- Don't forget the three checks in medication administration
- Five ways to safeguard your patients' valuables
- Note similarities and differences between HCPCS, CPT® codes
- The consequences of an incomplete medical record
- Q&A: Primary, principal, and secondary diagnoses
- OB services: Coding inside and outside of the package
- Skills of effective case managers
- Practice the six rights of medication administration
- E-mailed
-
- Plan of Care Supports Documentation of Homebound Status
- Q/A: Coding infusions to correct low potassium levels
- Note from the instructor: CMS clarifies billing guidelines on proper billing for drugs in a single-dose or single-use vial, including billing for discarded drugs
- Neurological checks for head injuries
- Modifiers and medical necessity
- HIPAA Q&A: Cameras in patient rooms
- Follow these tips to properly report bladder catheter codes
- Examine cardboard boxes stored on floor to avoid infection control, life safety citations
- Differentiate between types of wound debridement
- Consider two options for coding Rho(D) immune globulin given in pregnancy
- Searched