The second phase of the Department of Health and Human Services’ Office for Civil Rights HIPAA compliance audits has begun. Towards the end of 2017, covered organizations were selected for desk audits and the initial round of audits have now been finished. Now OCR has progressed to auditing business associates of covered organizations.
Speaking at HIMSS17, OCR’s Deven McGraw explained that the full compliance audits, which were initially scheduled in for Q1, 2017, are to be delayed. This gives covered organizations more time to prepare for the second phase.
The phase 2 HIPAA compliance desk audits were more thorough than the initial phase of audits completed in 2011/2012. The desk audits included a broad range of requirements of the HIPAA Privacy, Security, and Breach Notification Rules, although they only consisted of a documentation check to show compliance.
The onsite audits will be much more detailed and will look much deeper into groups’ compliance programs. Not only will covered organizations have to show auditors documentation displaying compliance with HIPAA Rules, OCR will be looking for proof of HIPAA in action.
To help with the audit-readying process, the American Health Information Management Association (AHIMA) has updated its HIPAA audit readiness toolkit. The toolkit can be used by covered oganizations to assess their compliance efforts and see whether they have all the necessary documentation, policies, and procedures in place to meet all Health Insurance Portability and Accountability Act requirements.
The new toolkit outlines the legal process of the HIPAA compliance audit program, OCR processes, and now includes the updated HIPAA audit protocol used by OCR in the second phase of the compliance audits.
The new toolkit includes HIPAA compliance checklists covering policies, procedures, and documentation that is likely to be sought by Office for Civil Rights auditors, together with a master policy template for the privacy and security rule compliance program.
AHIMA has also incorporated tips and best practices that can be implemented by HIPAA-covered organizations and their business associates to help them meet all of their obligations along with an HIPAA audit preparation guide.
AHIMA members can download the HIPAA audit readiness toolkit for free in the HIM Body of Knowledge section of the AHIMA website or through its web store.
The onsite audits may have been delayed for a while, but covered organizations should ensure they are ready for an audit. Even if the audits slip into 2018 as hinted by McGraw, OCR still reviews all HIPAA breaches of more than 500 records. In the event of a data breach, OCR will require proof of compliance with HIPAA Rules and massive fines await groups found not be adhering with the HIPAA Privacy, Security and Breach Notification Rules.