Could OCR’s “Phase 2” Mean a HIPAA Audit for You?

Think HIPAA audits are skyrocketing? It’s not your imagination. In March of 2016 the Office of Civil Rights announced the launch of Phase 2 of its HIPAA compliance program. Since then 167 healthcare providers have already received audit notices. The goal is to reduce privacy and security violations—a growing concern in the healthcare industry. In 2014, millions of patient health records were exposed, and data breaches have increased by a massive 138 percent since 2012. Now, providers risk big fines for non-compliance. But, what does a HIPAA audit entail? And what should you do if you face one?

What You Need to Know

Phase 1 focused on HIPAA standards. Phase 2 shifts the focus to non-compliance areas. These include transmission security, device and media controls, and notice of privacy practices. Although the bulk of HIPAA audits are desk-based, some on-site visits will be conducted. This means healthcare providers should be prepared for an actual inspection.

“Audits are an important compliance tool,” says the OCR. “These tools enable us to identify best practices. We also uncover and address risks and vulnerabilities to protected health information.”

[bctt tweet=”Why the sudden rise in HIPAA audits?” username=”remindercall”]

If You Receive a HIPAA Audit Notice

If you receive an audit notice, here’s what to expect:

  • You’ll receive an email to confirm your details. This includes the address of your business entity and your contact information.
  • Then, you’ll have to fill in a pre-audit questionnaire about the size and type of your organization. The questionnaire is made up of four parts: “instructions,” “contact and entity information,” “questions,” and “review and submit.”
  • Receiving an email and pre-audit questionnaire doesn’t necessarily mean an audit. However, you will need to return the required information to the OCR promptly.

“Our HIPAA audits will enhance industry awareness of compliance obligations […]” notes the OCR. “Through the information gleaned from the audits, the OCR will develop tools and guidance to assist the industry in compliance […].”

How to Start Preparing for a HIPAA Audit

Although healthcare providers are chosen at random, it’s best to be prepared. Improving HIPAA compliance will not only benefit your patients but ensure you don’t receive any nasty fines. The best way to prepare is to get an official risk assessment from a third party. This will help you identify security and privacy operations that need improvement.

Meanwhile, here are a few things you can do:

  • Make sure your computer systems use encryption technology that protects patients’ confidential data.
  • All your staff should know about HIPAA standards and policies. If not, invest in a training solution for your employees.
  • Keep mobile devices away from people who must not have access to protected health information (PHI), such as personal acquaintances.
  • Make sure you have a Business Associate Agreement in place with each outside vendor that gets access to PHI.
  • Avoid sending PHI offshore. Make sure your vendors house all their operations in the U.S. (for example, all of ReminderCall.com‘s operations, including servers and staff, are located in the U.S.).
  • Dispose of all protected health information properly by shredding documents, including patient financial information.

The Takeaway

About 15 million people in the U.S. have their identities stolen every year, with collective financial losses adding up to more than $50 billion. The healthcare industry accounted for 42 percent of all data breaches in 2014. Although a HIPAA audit might seem scary, Phase 2 was introduced to protect your patients’ private information. It’s also meant to keep your practice away from more serious litigation. Preparing for a HIPAA audit is not only a crucial part of your compliance strategy… it’s also a very smart thing to do.