HIPAA Audits of Physician Practices – Phase II Audits

The HHS Office for Civil Rights (“OCR”) has Officially announced The commencement of its 2016 Phase 2 HIPAA Audit . In Phase 2, OCR Will be reviewing the policies and procedures of covered entities and their business associates. This phase of audits is intended to determine whether providers have properly implemented and satisfy standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. For the most part, Phase 2 audits will Years include only document review to determine compliance with policy and procedure Requirements. In cases of noncompliance, the initial document review may turn into a formal site visit and more complete hip audit.

The OCR will be sending an email to covered entities and business associates requesting verification of an entity’s address and contact information. This will be followed by transmission of a pre-audit questionnaire Asking for information about the size, type, and operations of covered entities and business associates. This information will be used in conjunction with other information to create potential audit subject pools. It is critical that providers respond to the request fro information within the specified timeframes. Failure to respond may increase the  of further audit and scrutiny. More details will b forthcoming from OCR regarding audit protocols.

Not ll providers will be subject to audit.  OCR is in effect using the increased risk of audit to assure that providers make preparations and enhance their policies, procedures, business associates agreements and other compliance documentation and practices.  A provider’s chance of audit are much greater under the phase 2 audit program than under the prior phase. Given the public nature and time that providers have been given to get their ship in order, audits are likely to be less forgiving that the previous phase.

What does this mean to providers?  Now is the time to make retain that hipaa practices, policies and procedures are in compliance with legal requirements.  Providers may consider performing effectiveness audits of their hipaa process to identify any gaps in policy and practice that could lead to further investigation under The phase 2 program.