OCR announces that Phase 2 of randomized HIPAA audits has been delayed

As all of our dental offices know, earlier this year the OCR announced Phase 2 of HIPAA Audits for October of 2014. However, due to unexpected hitches in the OCR’s web portal development, these HIPAA audits have been pushed back to an unannounced time. Although no specific time has been announced, the Office for Civil Rights is now aiming for audits to begin by the end of 2014 or the beginning of 2015.

Phase 1 only involved 115 HIPAA audits

Phase 1 was conducted in 2012, and focused on just 115 covered entities. Under Phase 1, only 11% of covered entities had no compliance issues. Additionally, the smallest covered entities were found to struggle with compliance issues on all 3 of the HIPAA standards: The Privacy Rule, Security Rule, and the Breach Notification Rule. The larger the covered entities, the more likely they were to pass Phase 1 of HIPAA Audits in 2012.
 
More than 39% of the findings regarding Privacy Standards were a result of a lack of awareness of the Privacy Standard requirement.

Phase 2 involves up to 800 covered entities

Phase 2, now set for the end of 2014 through the beginning of 2015, is to involve up to 800 covered entities. At minimum, it will involve large and small hospitals, dental practices, health insurance companies, and health plans in the pool of CEs that are chosen for the audits. Business associates, such as dmi Networking, will soon follow.

The HIPAA audit process will utilize a newly developed web portal

The web portal is to be put in place to streamline the pre-audit process. This tool will be used by covered entities as an efficient way for them to provide documentation of a risk assessment, as well as the specific policies that will be asked for by the OCR. This web portal will not be discontinued after Phase 2 – once implemented, the portal will hold a database of covered entities and their states of compliance during an audit. As more and more covered entities are digitally storing patient data, it could further be expanded and maintained by the OCR to include more CEs and BAs.

Be prepared for a pre-screening

The most important part of HIPAA compliance is the documentation of your privacy and security practices. As a covered entity, you must be able to not only produce a risk assessment and policies and procedures, but also must have a Privacy Officer who is qualified to talk in detail about these policies. At minimum, a covered entity should be prepared to deliver the following:

1. A comprehensive risk assessment, with details on potential security vulnerabilities to the practice
2. Confirm that action items on the risk assessment have a reasonable time-line for completion
3. Document “addressable” issues that are not fully complied with, along with a analysis of the reasoning behind the decision
4. Have a complete inventory of Business Associates with accompanying BAAs
5. A “Breach Notification Policy” that reflects the deadline requirements under HIPAA standards
6. A compliant “Notice of Privacy Practices”
7. Safeguards not only on ePHI, but on paper PHI as well
8. A documented training manual for employee education on HIPAA compliance
9. An inventory of network assets, including servers, workstations, fax machines, etc.
10. Documentation of encryption technology, at minimum when data is in transit
11. A physical security plan
12. A disaster recovery plan