You might be selected for an audit by the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) as part of the Phase 2 Audit Program.  OCR will send email notifications to selected covered entities and business associates. The Phase 2 Audits will assess the policies and procedures that covered entities and business associates should have in place, in addition to regulations outlined in the Privacy, Security, and Breach Notification Rules.

During the previous round of audits, OCR determined a major weakness was the lack of a risk analysis. If you are found without a documented risk analysis, OCR will issue harsh penalties. Fortunately, OCR has made the audits a little easier by identifying their focus areas. Even if you aren’t being audited by OCR, your carrier could audit you or you could experience an audit in coming years. It is vital for your agency to take a look at the audit focus areas and make sure your policies are up to date. The current audit protocol is available at: www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html. If you don’t know where to begin, start by completing the following key compliance tasks that will be focused on in Phase 2 Audits:

  • Risk Analysis. Confirm you have an up-to-date risk analysis and a corresponding risk management plan to show you are bringing risk down to reasonable and appropriate levels. Performing a risk analysis will determine threats and vulnerabilities to your organization’s protected health information. The results then guide you in developing the appropriate policies and procedures.
  • Documentation. The emphasis on Phase 2 Audits will be on up-to-date documentation. Begin compiling that documentation now if you haven’t already and ensure it is updated for 2016. Most documentation should be reviewed at least annually. Examples of required documentation include a risk analysis, disaster recovery plan, records of issued business associate agreements, and privacy policies and procedures.
  • Technical Security. The goal is to protect information while adopting new technologies. Your technical security controls should be based off your risk analysis. Controls include email encryption, user access, mobile device security, strong passwords, system testing and malware protection. Technical security is a significant trend in the compliance community. A majority of breaches last year were due to unsecured mobile devices.
  • Training. All employees should be trained on the proper handling of sensitive information. Training shouldn’t be a one-and-done process. HIPAA is always changing and new guidance is released every few months, therefore periodic training and annual training are essential to maintain compliance.

Still don’t know where to start? GRA Benefit Group’s PHI365 HIPAA consulting service provides a foundation for compliance that will prepare your insurance agency for Phase II audits. Contact us to learn more about GRA’s HIPAA consulting service at 800-678-4456 or [email protected]