OCR Starts Phase 2 HIPAA Audit to include Business Associates (BAs)
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has just released notices to Covered Entities and Business Associates on the 2016 Phase 2 HIPAA Audit Program.
During these HIPAA Audits, the OCR will review the policies and procedures adopted and employed by Covered Entities and their Business Associates to meet standards and implementation specifications of the HIPAA Privacy, Security, and Breach Notification Program. The OCR will give you less than 10 days to respond to these letters. The first set of HIPAA Audits will be Desk Audit, all desk audits will be completed by the end of 2016.
What should I expect during this HIPAA Audit?
During the Desk Audit you will be required to provide the following:
- Polices and Procedures that conform to HIPAA Guidelines and omnibus rule
- Evidence that shows you are complying to HIPAA Regulations and omnibus rule
- List of all Business Associates and Sub-Contractors. You will be ask for full contact details
- HIPAA Risk Self-Assessment based on and omnibus rule
Audit Failures will result in Corrective Action or Penalty
If your organization does not respond to the OCR’s audit request, the OCR will add your organization to the next phase, which will be a OCR Site Audit. The OCR will use public information to gather information about your organization to issue you a formal request for compliance audit.
THe OCR will be fully transparent on the Audit process and their request for evidence. The audit process will reflect the HIPAA Omnibus Rulemaking, this can be used as a tool by your organization to conduct your own internal self-audits as part of their HIPAA compliance activities. For more information about the OCR’s Phase 2 Audit program, please visit visit the HHS website here > http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html
For more information, feel free to reach out to us on HIPAA Risk Assessment, Healthcare IT Policies and Procedures, or tools for Data Privacy or Compliance web tools at [email protected]