Recently, the Director of the Department of Health and Human Services Office for Civil Rights (“OCR”) confirmed that OCR is still working to finalize the procedures for “Phase Two” HIPAA audits. OCR had initially planned to launch the Phase Two audits in the Fall of 2014. Apparently, the delay is the result of behind-schedule implementation of the technology that OCR will use to collect audit-related documentation from covered entities and business associates via a web portal. An official date for the launch of Phase Two audits has not yet been announced.
The HIPAA Audit Program is authorized under Section 13411 of the HITECH Act, and is designed to test entities compliance with the Privacy Rule, Security Rule, and Breach Notification Standards. If you are a covered entity or business associate, this delay in the launch of Phase Two audits provides a great opportunity to conduct a comprehensive assessment of your current HIPAA compliance program. This means doing much more than just checking boxes and having an old binder of policies and procedures on your shelf. Instead, covered entities and business associates need to take real action, such as reviewing the audit protocol from the pilot program and applying it to your organization, conducting a risk assessment, engaging a dialogue with your compliance officer, and reviewing/updating training materials, among others.
Being proactive now will go a long-way towards easing the burden of Phase Two audit, should your organization be selected.