The Civil Rights Office of the Department of Health and Human Services announced a “Phase 2” audit program in the Fall of 2014. That audit program was delayed due to funding issues, but appears to be back on schedule for 2015. These Phase 2 audits are expected to be more in depth and focused on reviewing procedures and documentation related to the areas of HIPAA security and privacy risk management, breach notification and Notice of Privacy Practices. Although the early Phase 2 audits are expected to target Covered Entities (employers sponsoring self-insured group health plans), Health Care Providers and Clearinghouses, the audits are also expected to expand to include HIPAA Business Associates.
What should you do to prepare for a Phase 2 HIPAA audit? Entities may wish to take the following steps:
- Conduct an internal audit (DHS issued audit guidelines in 2012 and a Covered Entity may use them to conduct its internal privacy and security analyses);
- Implement and/or update your HIPAA Privacy and Security Policies;
- Appoint a HIPAA Privacy Officer and a Security Officer (and ensure those Officers understand their responsibilities);
- Train employees who have access to Protected Health Information (“PHI”) on privacy and security rules; and
- Limit access to PHI (both physically and electronically) only to those employees authorized to access it.