The governing body of HIPAA, the HHS Office for Civil Rights (OCR), officially announced on March 21st, 2016 that it is embarking on Phase 2 of its HIPAA compliance audits this year. These audits are part of a continued effort to enforce compliance with the HIPAA Privacy, Security, and Breach Notification Rules. As in Phase 1, which was conducted in 2013, the OCR will be targeting both covered entities (CAs) and their business associates (BAs) to evaluate their ability to meet selected standards and implementation specifications. A key difference, however, is that this year includes an updated protocol, published recently, that cites approximately 180 areas for potential compliance scrutiny by auditors.
Will you be able to demonstrate your compliance or will you face financial and reputational harm for failing an audit? – Here are 7 Steps to Ensure Your Compliance.
If you’re reading this and beginning to experience a sinking feeling, let me share three action items to help you get out in front of these audits and ensure that, if you are among the OCR’s selected targets, you’ll able to handle the situation appropriately.
- Whitelist OSOCRAudit@hhs.gov Immediately: This is probably one of the most crucial steps. Fortunately for most, it’s an easy one. The OCR will be sending out email correspondence to the organizations it has selected for auditing. Whether or not the email hits your inbox, you’re on the hook. Be sure to whitelist the OCR email address (OSOCRAudit@hhs.gov) to ensure it does not get caught in spam. You have ten days to reply, and doing so could mean the difference between passing an audit and failing miserably.
- Get a Jumpstart: The OCR has posted an audit protocol online covering the specific areas of scrutiny for which it will evaluate those who come into contact with ePHI. It is a great tool to prepare for any potential OCR investigations, whether they are related to Phase 2’s audits or caused by a complaint or breach report.
- Remember what the HIPAA Omnibus Rule taught us. Business associates and their subcontractors are directly liable for HIPAA compliance. You must evaluate the businesses you partner with (right away) to create, store and transmit the ePHI of which you are the lawful custodian. And, if your cloud storage provider is not able to prove compliance, you may need to change vendors. Consider using a provider with proven experience working collaboratively with businesses to maintain compliance.
If you have any questions about HIPAA Compliant Hosting solutions, we’re more than happy to help answer them for you.
Don’t be caught off-guard if you survive 2016 unscathed. On-site audits are scheduled to continue in 2017. Even if you are not one of the hundreds of CAs and BAs selected for a desk audit in 2016, the threat of being found non-compliant still lingers. The OCR will be targeting an additional subset of businesses making house calls to their place of business to evaluate and enforce their compliance. Act proactively and use these action items to prepare for that possibility.
Remember, failing to demonstrate compliance can potentially result in civil or legal penalties, fines, and damages to your company’s reputation.
More questions about what’s to come? Visit the U.S. Department of Health & Human Services Audit Information Page. If you have any questions feel free to reach out. We’re here to help.