Phase 2 HIPAA Audits Will Continue in 2017 | HIPAA Compliance for Medical Practices | Scoop.it

Phase 2 HIPAA Audits are targeting random health care practices and organizations around the country. Having an effective HIPAA compliance program is the easiest way to pass your audit–read on to find out what you can to protect your behavioral health practice!

Upcoming Phase 2 Audit Protocols

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) first announced this new round of random audits in 2016. Phase 2 is the second time in OCR’s history that it has instituted a random audit program. Phase 1 HIPAA Audits were rolled out in 2011 and affected a similar number of health care providers across the country.

OCR has designed these Phase 2 audits to target a broad selection of HIPAA-beholden health care organizations. That includes both Covered Entities (CEs) and Business Associates (BAs).

HIPAA defines a Covered Entity is any health care provider, including Behavioral Health specialists, who create protected health information (PHI). PHI is any health data that can be used to identify a patient (including name, date of birth, social security number, address, medical data, etc.). HIPAA defines a Business Associate as any organization that encounters PHI over the course of the work it has been hired to do (examples include billing firms, cloud storage providers, faxing, shredding, copying, and IT providers, to name a few).

So how do you know if your behavioral health organization has been selected for a Phase 2 HIPAA audit?

OCR will reach out to your organization via email if you have been randomly selected for an audit. You should look out for emails from “OSOCRAudit@hhs.gov“.

Once you’ve been contacted for an audit, you will have 10 days to respond to OCR’s request for information. If your organization does not respond for any reason, federal investigators will continue to contact your organization until they receive a response–this includes finding publically available information to call or contact you.

One of the first things federal investigators will ask for is a complete list of your organization’s business associates, with contact information for each. Identify your business associates now so that you’re prepared for these upcoming HIPAA audits.

Additionally, your organization must have a HIPAA compliance program in place with full documentation that can be provided for OCR investigators.

Desk Audits vs. Onsite Audits

Phase 2 HIPAA Audits consist of a number of different stages.

The first stage is desk audits, which are a series of remote audits. OCR investigators will contact your organization via email and you’ll be prompted to send the appropriate information. Investigators will not come to your physical location, but you’ll still be required to comply with the investigation.

Onsite audits are another means of investigation that OCR is set to pursue in 2017.  Onsite Phase 2 HIPAA Audits will require federal OCR investigators to come onsite to inspect your organization. They will be checking your level of compliance with HIPAA regulation.