In 2011 and 2012, the HHS Office for Civil Rights (OCR) established an audit program to assess the controls and processes covered entities have implemented to comply with the HIPAA Privacy, Security and Breach Notification Rules. Phase 2 of the Audit Program has been looming for some time now, with continued delays. The latest news is that Phase 2 of the audits will now be done starting in 2015. The latest delay accounts for an upgrade in technology by the OCR to collect and analyze audit data.

Phase 2 of the Audit Program, which affects covered entities as well as business associates, is not being done in person and relies heavily on meticulous record keeping. Entities will only have two weeks to respond to a data request. Failure to provide accurate information may lead to a full compliance review and enforcement action.

Phase 2 of the HIPAA Audits will look at high risk identified in Phase 1 of the audit program. The first phase of the program identified that two-thirds of entities lack a complete or accurate risk assessment and that the Security Rule provisions accounted for the majority of findings and observations. It is likely these areas will have extra focus in Phase 2.

According to data shared on the Privacy & Security Law Blog by Anna C. Watterson, 56% of healthcare organizations audited in Phase 1 became aware of additional HIPAA requirements as a direct result of being audited. Being prepared before an audit begins can go a long way to helping organizations ease the process of the audit and avoid unnecessary fines. Of course, these same precautions are really designed to help prevent costly data breaches.

For more on the current state of HIPAA and how it impacts healthcare organizations, we offer the following resources:

  • A complimentary report from Gartner: As HIPAA Regulations Get Teeth, Healthcare Feels the Bite. This report includes insight on how to implement a risk management program, how to evaluate specific compliance activities based on advice from legal counsel, and the need to revisit security planning to ensure existing protocols are appropriate based on your HIPAA risk assessment.
  • A webinar featuring insight from Stephen Treglia, head of Legal Counsel at Absolute. Data Breaches – Don’t be a Headline features an intriguing look at the vulnerabilities that can lead to a data breach and incur substantial legal and financial consequences, as well as ways to protect your organization.
  • Stephen Treglia again takes a look at the regulatory landscape of compliance penalties and class action damages in our webinar on the Healthcare Budget Crisis
  • Another complimentary report from Gartner, Top Actions for Healthcare Delivery Organization CIOs: Get Realistic about HIPAA Security, looks at how to move accountability for information security and privacy up to the board level by leveraging the increasing public attention to privacy breaches.