What Are They Looking For?
In OCR's announcement on the HHS Health Information Privacy website, they said that "The 2016 Phase 2 HIPAA Audit Program will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules."
The HITECH Act, which was passed in 2009, made provisions for OCR to routinely audit CEs and BAs for compliance with the Privacy, Security, and Breach Notification Rules. Each of these rules have been enforced with increasing frequency over the past year, and now it seems that OCR Director, Jocelyn Samuels is taking that enforcement one step further.
The Phase 1 audits were carried out in 2011 and 2012, however they only targeted CEs. The results of Phase 1 showed a shocking pattern of non-compliance, with only 11% of audits reporting no findings--meaning that only 11% of the Covered Entities that were audited showed no deficiencies in their compliance.
Understanding what's required of your organization under the Privacy, Security, and Breach Notification Rules should be a priority among potential auditees. However, users of The Guard can rest easy knowing that all of the necessary policies and procedures outlined by these HIPAA Rules are built into our solution. If you've done your due diligence and made progress with your compliance implementation, you should be well on your way to understanding what's required of you.
Who's Going to be Audited This Time?