HIPAA Phase 2 Audits are Coming

We’ve known for a while that HIPAA Phase 2 audits are coming, and we know that the randomly selected hospitals to be audited have been chosen. Pending the completion of the online portal for data submission, the audits will begin.


Mostly for Data Gathering

These HIPAA Phase 2 audits are primarily data gathering. The Department of Health and Human Services is particularly interested in assessing compliance moving forward as electronic health records become standard. Unlike the audits and goals during Phase 1, Phase 2 will be far more focused and the scope will be narrower. The three major areas of interest, and not a moment too soon with the high profile data breaches we’ve seen of late, include:

  1. Security
  2. Breaches
  3. Privacy

 Start With An Internal Audit of Your Own

Even though the audits may not have started yet, this is the perfect time for hospitals to be doing their own audits to catch any potential areas of vulnerability should they be selected for an OCR audit.

4 Key Focuses of OCR Audits

There are four key metrics hospitals should be looking at as they complete their own internal audits, starting with a thorough security risk analysis. From there, they should be prepared to justify any standards that they haven’t yet adopted (with appropriate documentation), develop and demonstrate an active HIPAA compliance program and have a robust breach response plan in the event of a breach.

New Rules

The various “rules” that have been set forth by OCR include one that insists any breach affecting more than 500 individuals be reported without delay to the OCR. Launching of a thorough and timely investigation into the cause of the breach will be of utmost importance.

Don’t Forget Paper

Even though there has been an increased focus on electronic breaches, many hospitals are still at least partially reliant on paper records and case studies have shown that nearly a quarter of patient record breaches are paper-based. That’s not surprising when you consider that paper records, access to which can’t be tracked like it can via a computer, are much easier to steal a glance at or even pilfer than a highly encrypted computer based record.

Gearing Up for HIPAA Phase 2 Audits

Phase 1 audits started over three years ago, and some hospitals might be having a hard time gearing up for another round, given the delay. The best defense against breaches, of course, is preparation. And similarly the best way to survive an audit, if your hospital is chosen for one, is to be prepared and calm in the face of scrutiny. The scrutiny isn’t necessarily meant to instill fear in healthcare organizations, however. Rather it’s much more about uncovering areas that could be problematic in the future and taking the proper steps to protect patient data.

Where to Start?

OCR will also continue to look at high-impact cases of noncompliance during the HIPAA Phase 2 audits and will launch investigations into suspected or confirmed breaches. In the meantime, continue to check your email and the OCR website to find out if you’ll be audited, when the audits will begin, and what to be sure you’ve completed in the meantime.

If it all seems like a lot and you aren’t sure where to start, the first place to start should be with your policies and procedures. Review them with an eye toward any potential areas improvement and make a point of changing or updating them without delay.