HIPAA Phase 2 audit protocols released
Physician Practice Insider, April 19, 2016
The Office for Civil Rights (OCR) released updated audit protocols and other audit documents for Phase 2 of its HIPAA audit program. The updated protocol contains a description of the audit areas, general instructions and definitions, and a keyword searchable table.
The audit protocol covers Privacy Rule, Security Rule, and Breach Notification Rule requirements. Privacy Rule requirements are further broken down into specific targets:
- Notice of privacy practice for protected health information (PHI)
- Rights to request privacy protection for PHI
- Access of individuals to PHI
- Administrative requirements
- Uses and disclosures of PHI
- Amendment of PHI
- Accounting of disclosures
The Phase 2 audit protocol expands the compliance areas to reflect changes made by the 2013 HIPAA Omnibus Final Rule. The updated audit protocol also includes information for business associates (BA). BAs were not audited during Phase 1, but will be included in the current round of audits.
The table maps audit areas to sections of the legislation, key activities OCR expects covered entities (CE) and BAs to take, performance criteria, and audit inquiry. The table goes into a high level of detail and lists more than 100 audit areas.
Although the audit protocol has been published and are not likely to be revised before the audit requests are sent, OCR is accepting feedback.
Along with the updated Phase 2 audit protocol, OCR also published the pre-screening questionnaire it will send to CEs and BAs selected for audits. The questionnaire begins with four basic questions that apply to all entities and is then divided into sections for healthcare providers, BAs, healthcare clearinghouses, and health plans.
In addition to the pre-screen questionnaire, CEs will be asked to submit a list of their BAs. OCR published a sample BA listing template CEs can use to complete this requirement. The sample template has 27- items and reports information such as the service a BA provides, contact information for up to two individuals at the listed BA, and the BA’s website.
OCR announced it would begin verifying the contact information of CEs and BAs selected for Phase 2 audits March 21.
This article was originally published in the Revenue Cycle Daily Advisor.
Related Products
-
Physician Practice Perspective
Physician Practice Perspective subscribers can find the archive of issues on the Part B News website. Find more information...
-
Medical Environment Update
A subscription to Medical Environment Update pays for itself by saving you time sorting through complex regulations and...
-
HealthLeaders Media Physician Leaders
HealthLeaders Media Physician Leaders offers commentaries that focus on the hottest issues for doctors as well as concise...
-
Medical Environment Update - Electronic and Print, 1 year
A subscription to Medical Environment Update pays for itself by saving you time sorting through complex regulations and...
-
Medical Environment Update - Electronic, 1 year
A subscription to Medical Environment Update pays for itself by saving you time sorting through complex regulations and...
Most Popular
- Articles
-
- CMS seeks comment on quality measures
- Don't forget the three checks in medication administration
- Practice the six rights of medication administration
- Note similarities and differences between HCPCS, CPT® codes
- What to include on the incident report
- Q&A: Primary, principal, and secondary diagnoses
- Code diagnoses and outpatient treatment for PTSD
- Understanding nursing roles in quality improvement
- OB services: Coding inside and outside of the package
- Differentiate between types of wound debridement
- E-mailed
- Searched
