Preparing for the Phase 2 HIPAA Audits Preparing for the Phase 2 HIPAA Audits

Preparing for the Phase 2 HIPAA Audits

With the Phase 2 HIPAA Audits coming soon, do you know how you will be impacted?

In an attempt to verify compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, the Office for Civil Rights (OCR) for the United States Department of Health and Human Services piloted privacy and security audits of covered entities in 2011 and 2012 (the “Phase 1 Audits”).  In general, HIPAA covered entities include health care clearinghouses, health care providers (that engage in certain electronic transactions such as billing for services), and health plans (including health insurers and self-funded employer-group health plans). 

In March 2014, the OCR announced that it would implement a second phase of audits to begin in the fall of 2014 for covered entities and 2015 for business associates (the “Phase 2 Audits”).  In the fall of 2014, the OCR announced that the Phase 2 Audits have been delayed until the OCR is able to implement a new web portal which audited entities will use to submit information.  Recent comments by the OCR indicate that the Phase 2 Audits will likely begin soon.  In the meantime, covered entities and business associates should take advantage of the delay by reviewing their current HIPAA compliance programs. What was the outcome of the Phase 1 Audits and how will this impact Phase 2?

Phase 1 Audit Findings

In the Phase 1 Audits, the OCR audited sixty-one providers, forty-seven health plans, and seven clearinghouses.  Ice Miller represented one of the forty-seven health plans included in the Phase 1 Audits.  Phase 1 Audits were outsourced by OCR to an outside agency and typically lasted three to four weeks (300 – 400 hours).  Eighty-nine percent of the entities audited during the Phase 1 Audit were subject to findings and/or observations due to compliance deficiencies.  The following table provides a brief summary of common Phase 1 Audit findings.

HIPAA Rules Overview of Phase 1 Audit Findings
Security Rule 60% of Phase 1 Audit findings were the result of Security Rule violations.  2/3 of those audited failed to provide a complete and accurate risk assessment. 
Privacy Rule Common Privacy Rule Phase 1 Audit findings included: (1) failure to meet the requirements for access to protected health information; (2) inadequate notice of privacy practices; and (3) the timing and content of breach notices.
Breach Notification Rule Only 10% of Phase 1 Audit findings were the result of Breach Notification violations.

The most common cause for compliance deficiencies was a lack of awareness concerning the regulatory requirements.  Other causes cited by the OCR included lack of resources, incomplete implementation and, on a few occasions, disregard for requirements.  The Phase 1 Audits established a robust auditing strategy applied to various types of providers subject to HIPAA regulations.  With that auditing strategy in place, the OCR is now preparing for the Phase 2 Audits which will include business associates, unlike Phase 1. The Phase 2 Audits will differ in other ways as well.

Setting Expectations for the Phase 2 Audits

Previously, the OCR had announced that during the Phase 2 Audits, it would utilize “desk audits” rather than onsite visits.  However, recent announcements by the OCR indicate that while most audits in Phase 2 will still be desk audits, the OCR is planning to conduct more on-site, comprehensive audits than previously planned.  While the Phase 1 Audits were conducted by outside contractors, the OCR will personally conduct the Phase 2 Audits. 

What should you expect with a desk audit? Desk audits are administered by sending a list of required documents to the audited organization which must then submit the documents for review by OCR personnel.  The organization has two weeks to respond to the request.  Desk audits involve no personal interaction and, as a result, no opportunity to ask questions of the auditor or provide clarifications.  Therefore, a positive audit outcome depends on proper documentation, written in a clear and comprehensive manner. 

It is presumed that the OCR will continue the policy from the Phase 1 Audits that allowed revision and/or creation of requested documentation up until the submission date; however, with success contingent upon good documentation, two weeks will not likely provide sufficient time to create and implement required policies. 

The following table outlines OCR’s expectations for Phase 2 Audits.

Phase 2 Audits OCR Expectations
Only timely submitted documentation will be reviewed by the OCR.
Documentation must be current as of the date of the request.
As originally proposed for the desk audits, auditors will not contact the organization for clarification or additional information.
Submitting extraneous documentation may hinder the auditing processes and will potentially cause adverse audit findings.
OCR will review all documents submitted.  Any issues identified in extraneous documentation will be acted upon.

What can your organization do to prepare for the Phase 2 Audits?

In preparation of the Phase 2 Audits, both covered entities and business associates should:
  • Carefully review their privacy and security policies, compile evidence that the policies have been implemented and enforced, and be able to demonstrate that they review and update  policies in light of changes in law, operations and information technology standards;
  • Conduct and/or update Security Rule risk assessments (as lack of a proper risk assessment was a repeated observation during the Phase 1 Audits);
  • Review covered entity and business associate relationships to ensure compliance with HIPAA;
  • Review training programs and ensure workplace training has occurred and is up-to-date;
  • Review compliance with an enhanced focus on certain high risk areas including: (1) patient's rights to access their personal health information; (2) authorizations; (3) minimum necessary use and disclosure; (4) encryption of electronic transmission, mobile devices, and devices containing protected health information (USB drives, etc.); (5) logging; (6) access controls; (7) notice of privacy practices; and (8) breach notification (including the content and timeliness of a breach notification).
While the OCR delay was welcome news to covered entities and business associates, each organization should use the extra time to prepare in case it is selected for a Phase 2 Audit.

In the meantime, please contact Chris Sears at or 317-236-5891, Taryn Stone at or 317-236-5872, Nick Merker at or 312-726-2504, or Margaret Emmert at or 317-236-2169 for further information or if you have any questions regarding these issues.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances. 

View Full Site View Mobile Optimized