Lobbying Affiliate: MML&K Government Solutions
{ Banner Image }

Healthcare Law Blog

Comprehensive Healthcare law services.
It's kind of our bag.

Contact Us

250 Character(s) Remaining
Type the following characters: hotel, six, whisky, six, mike, romeo

* Indicates a required field.

Categories

McBrayer Blogs

Related Blogs

Are You Ready for Round Two?

In February 2014, the Health and Human Services Office of Civil Rights (“OCR”) announced its plans to send pre-audit surveys to between 550 and 800 entities during the summer in preparation for Phase 2 HIPAA compliance audits. After collecting information from those surveyed, OCR will select about 400 of those entities for actual HIPAA audits. Those audits will begin this fall – which is quickly approaching.

Of the 400 entities selected for audit, it is anticipated that 350 will be covered entities (further broken down as 232 health care providers, 109 health plans, and 9 health care clearinghouses) and the remaining organizations will be business associates. This is the first time the government will audit business associates. In addition to the increased scope, there a number of ways in which the Phase 1 audits (conducted in 2011 and 2012) differ from the upcoming round:

  • Contractors conducted Phase 1 audits, but OCR staff will primarily conduct Phase 2.
  • Phase 2 audits will target the HIPAA Standards, which the Phase 1 audits yielded high non-compliance numbers. The audits will be broken down by type: 100 entities will be audited for compliance with the Privacy Rule (including Notices of Privacy Practices and patient access to PHI); 100 will be audited on content and timeliness of notifications under the Breach Notification Rule; and 150 will be audited on the risk analysis and management standards of the Security Rule. Business associates will only be audited for risk analysis, risk management, and breach reporting to covered entities.
  • Phase 2 will not consist of on-site visits, but rather desk-audits. Auditors will not have the opportunity to seek clarification or additional data and only data submitted on time will be considered.
  • OCR has indicated that Phase 2 and future audits may be tied to enforcement, whereas the findings from Phase 1 were not used for enforcement purposes.

For more information about the Phase 2 process and how to prepare for a potential audit, visit the site again on Thursday.

Services may be performed by others.

This article does not constitute legal advice.

Lexington, KYLouisville, KYFrankfort, KYFrankfort, KY: MML&K Government Solutions