Preparing for Phase 2 HIPAA Audits: It’s All About the Documentation

Morgan Lewis

The launch of Phase 2 HIPAA audits is imminent. Although any individual hospital has only a small chance of getting audited, preparation helps protect a hospital if it is ever investigated for potential HIPAA violations. In large part, that preparation should focus on ensuring that the documentation of compliance is complete and without deficiencies.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) will soon begin a second phase of audits of covered entities and business associates evaluating compliance with the HIPAA privacy, security, and breach notification rules. OCR recently announced a slight pause before commencing the audits and a shift in focus, which makes this a perfect time for a hospital to perform a HIPAA compliance check-up to ensure that it is ready if selected for a Phase 2 audit.

In September 2014, OCR announced that it was delaying the Phase 2 audits while it works to roll out a Web portal through which covered entities can submit audit data. At a recent conference, OCR Senior Advisor Linda Sanches said, “I’m ready to go, but our technology isn’t quite there yet.” In January 2015, OCR Director Jocelyn Samuels said Phase 2 audits would be “implemented expeditiously” and urged covered entities to keep checking the OCR website for additional information in the coming weeks and months. The random pool of covered entities to be audited has been selected, but as of this writing, we are not aware of any notifications that have been sent.

In preparing for a Phase 2 audit, a focus on HIPAA Security Rule standards is advisable. In the Phase 1 audits conducted during 2011 and 2012, security accounted for 60% of OCR’s findings and observations. A hospital’s check-up for a Phase 2 audit should include the following as priority tasks:

  • Confirm that all action items reflected in a security risk analysis have been completed or are on a reasonable schedule for completion
  • If the hospital has chosen not to implement any of the Security Rule’s addressable implementation standards, then clear documentation should be available explaining and justifying the decision
  • Ensure that HIPAA policies and procedures have been approved, implemented, and updated on a regular basis, which is an indicator of an active HIPAA compliance program
  • Implement a comprehensive breach response plan that reflects the new risk-assessment standard provided in the HIPAA Final Rule

The Phase 2 audits will primarily be desk audits that focus on documents only, without on-site auditing. Therefore, proper documentation is particularly critical. Even the failure to sign a policy prior to the date of an audit request may create a presumption of noncompliance.

Given the relatively small sample size (perhaps as small as 200 organizations, including business associates), the chances that a particular hospital will be selected for audit are fairly low. However, preparing for an audit will help a hospital avoid sanctions in the event of an OCR investigation—which could be triggered by any breach or patient complaint reported to OCR.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis

Morgan Lewis on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.