Preparing for the Phase 2 HIPAA Audits
Recent comments by the OCR indicate that the Phase 2 HIPAA Audits will likely begin soon. In preparation of the Phase 2 Audits, both covered entities and business associates should:
Carefully review their privacy and security policies, compile evidence that the policies have been implemented and enforced, and be able to demonstrate that they review and update policies in light of changes in law, operations and information technology standards;
Conduct and/or update Security Rule risk assessments (as lack of a roper risk assessment was a repeated observation during the Phase 1 Audits);
Review covered entity and business associate relationships to ensure compliance with HIPAA;
Review training programs and ensure workplace training has occurred and is up-to-date;
Review compliance with an enhanced focus on certain high risk areas including: (1) patient's rights to access their personal health information; (2) authorizations; (3) minimum necessary use and disclosure; (4) encryption of electronic transmission, mobile devices, and devices containing protected health information (USB drives, etc.); (5) logging; (6) access controls; (7) notice of privacy practices; and (8) breach notification (including the content and timeliness of a breach notification).
While the OCR delay was welcome news to covered entities and business associates, each organization should use the extra time to prepare in case it is selected for a Phase 2 Audit.
To learn more, check out the educational resources offered by Ice Miller’s Data Security and Privacy practice