Author: Gene Geiger, CPA, CISSP, CCSK, QSA, PCIP, ISO 27k LA, and Partner at A-LIGN.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced Phase 2 of the HIPAA Audit Program.
Every covered entity and business associate will be eligible to be audited. Organizations will be identified by OCR across a broad criterion in order to assess compliance across the industry. Upon selection, an organization will be contacted by OCR and will have ten days to submit documentation via OCR’s secure online portal so that the OCR auditors can observe compliance with HIPAA Privacy, Security or Breach Notification Rules. There are three types of audits that will be conducted: desk and onsite audits, followed by a third set of onsite audits that will examine a broader scope of requirements from the HIPAA rules. All desk audits will be completed by the end of December 2016.
After the audit is completed, OCR will review and analyze all collected information and aggregate the results so that they can better understand the compliance efforts with regard to HIPAA Rules. During Phase 1 of this program, OCR found that nearly two-thirds of all covered entities had not performed a risk assessment, as is required by the HIPAA Security Rule.
In order to prepare for Phase 2, all organizations that have not previously performed a risk assessment as required by the HIPAA Security Rule should have one conducted. In addition, organizations should ensure policies and procedures are up to date, while also conducting periodic evaluations of the controls that are in place. This is essential in order to meet the ten-day submission window set by OCR.