The Health and Human Services' Office of Civil Rights (OCR) has initiated Phase 2 of the HIPAA Privacy, Security and Breach Notification Audit Program (Program).
If you are a HIPAA Covered Entity (CE) or Business Associate (BA, here's the skinny ...
1. AUDIT PROCESS. The Program involves a multi-step process: (a) verification of CE and BA contact information; (b) pre-audit questionnaire and random sampling process to select CE and BA audit subjects; (c) notification letter and document request; (d) desk review; (e) on-site review of CE and BA selected from desk reviews and otherwise; (f) draft report; (g) CE (or BA) comment period; (h) final audit report.
2. AUDIT PROTOCOL. The Program uses an Audit Protocol that is organized around the Privacy, Security and Breach Notification Rules. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html
3. AUDIT GOAL. The primary goal of the Audits is to review the policies and procedures for CE and BA compliance with selected Rules. As with the Phase 1 Audits, the process is a primarily a compliance improvement activity, however OCR may initiate a follow up compliance review, as necessary.
4. COMPLIANCE REVIEWS. A compliance review may be initiated by the OCR following receipt of a complaint, a breach notification, a media report, an audit report or otherwise, for "no reason." The compliance review is a multi-step process that includes (a) written notification and document request; (2) desk review: (3) on-site review that includes observations, interviews and additional document review that may extend over several days; (4) closing conference. As necessary, OCR can also initiate subpoenas and other inquiries, as necessary, to complete the process. Violations identified as a result of the compliance review may result in voluntary compliance, corrective action and/or resolution agreements that may impose multi-year monitoring and civil money penalties, among other requirements, all subject to a fair hearing procedure.
5. AUDIT RESULTS. OCR will not post a listing of
audited entities or the findings of an individual audit which clearly
identifies the audited entity. However, under the Freedom of Information Act (FOIA),
OCR may be required to release audit notification letters and other information
about these audits upon request by the public, subject to FOIA regulations.
6. AUDIT READINESS. How best to prepare for the Phase 2 Audits? Assemble an in-house work group, print a copy of the Audit Protocol and begin your own self-study of the current policies and procedures and the related forms and documentation that evidence compliance with these policies and procedures.
Questions or other Phase 2 Audit readiness follow up, please contact Susan Ziel at Integrity Health Strategies -- sziel@ihsconsultinggroup.com or (317) 819-7704.
No comments:
Post a Comment