With the Phase 2 HIPAA Audits coming soon, do you know how you will be impacted? 

In March 2014, the Office of Civil Rights (OCR) announced that it would implement a second phase of audits to begin in the fall of 2014 for covered entities and 2015 for business associates (the “Phase 2 Audits”).  In the fall of 2014, the OCR announced that the Phase 2 Audits have been delayed until the OCR is able to implement a new web portal which audited entities will use to submit information.  Recent comments by the OCR indicate that the Phase 2 Audits will likely begin soon.  In the meantime, covered entities and business entities should take advantage of the delay by reviewing their current HIPAA compliance programs. 

What was the outcome of the Phase 1 Audits and how will this impact Phase 2?

Phase 1 Audit Findings

In the Phase 1 Audits, the OCR audited sixty-one providers, forty-seven health plans, and seven clearinghouses.  Ice Miller represented one of the forty-seven health plans included in the Phase 1 Audits. Phase 1 Audits were outsourced by OCR to an outside agency and typically lasted three to four weeks (300 – 400 hours).  Eighty-nine percent of the entities audited during the Phase 1 Audit were subject to findings and/or observations due to compliance deficiencies.  The following table provides a brief summary of common Phase 1 Audit findings.

HIPAA Rules: Overview of Phase 1 Audit Findings  

Security Rule: 60% of Phase 1 Audit findings were the result of Security Rule violations.  2/3 of those audited failed to provide a complete and accurate risk assessment. 

Privacy Rule: Common Privacy Rule Phase 1 Audit findings included: (1) failure to meet the requirements for access to protected health information; (2) inadequate notice of privacy practices; and (3) the timing and content of breach notices.

Breach Notification Rule: Only 10% of Phase 1 Audit findings were the result of Breach Notifications’ violations.

The most common cause for compliance deficiencies was a lack of awareness concerning the regulatory requirements.  Other causes cited by the OCR included lack of resources, incomplete implementation and, on a few occasions, disregard for requirements. The Phase 1 Audits established a robust auditing strategy applied to various types of providers subject to HIPAA regulations.  With that auditing strategy in place, the OCR is now preparing for the Phase 2 Audits which will include business associates, unlike Phase 1. The Phase 2 Audits will differ in other ways as well.