Though the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has told organizations to expect the Phase 2 HIPAA audits soon for almost two years

HIPAA healthcare document with magnifying glass


now, it appears that the audits truly are around the corner. In September, OCR Director Jocelyn Samuelsconfirmed that the next phase of the audit program will be launched soon, and the agency is stepping up its HIPAA oversight efforts. OCR also recently confirmed that it had selected a vendor to conduct the Phase 2 Audits. Before these audits start, there are a few key things to make sure your organization is doing in order to be fully prepared.
From what we know so far, the Phase 2 audits appear to be more focused and higher stakes. OCR has stated that a revised audit protocol will be released, but a date for such release has not yet been set. In addition, the Phase 2 audits will reach not only covered entities, but also business associates. The audits will be:

  • more limited in scope, focusing on specific areas of common non-compliance;
  • primarily “desk audits,” in which entities will be required to submit documentation electronically, in accordance with tight deadlines, with no opportunity for follow-up or clarification; and
  • a vehicle for OCR to identify best practices, but may lead to further investigation and referral to a regional office for a comprehensive compliance review.

The good news is, there’s still time to prepare. What can your organization do to be ready in case you’re selected for a Phase 2 HIPAA audit?

  • Maintain a robust privacy and security program
  • Prioritize
  • Identify gaps and remediate accordingly
  • If you’re doing it, document it
  • Know your team
  • Learn from the past
  • Timing is everything, and practice makes perfect

Source: Lexology – Hogan LovellsMarcy WilderPaul Otto and Madeline Gitomer