In this phase of audits, OCR will review policies and procedures that covered entities and their business associates have in place to comply with requirements of the Health Insurance Portability and Accountability Act (HIPAA). Now, the agency is undertaking its long-awaited Phase 2 audits, OCR announced Monday.
Advertisement
HHS OCR will start by conducting a desk audit, or telephone-based audit, of a covered entity. If the OCR does not receive a response, the government entity will use publicly available information to create its audit subject pool. These so-called “business associates” were largely given a pass in the first round of audits in completed in December 2012. Samuels said that some desk audits might result in subsequent on-site audits. The in-depth desk audit will examine compliance with the various HIPAA security, privacy, and breach notification rules.
Advertisement
Audit reports will be used to develop tools to improve compliance and prevent breaches, and to determine “what types of corrective action would be most helpful”, according to OCR. OCR is now reaching out to potential auditees by email to verify their contact information, and is identifying pools of organizations that represent a wide range of covered entities (health care providers, health plans and health care clearinghouses) and business associates, so that it can evaluate HIPAA compliance across the industry. “Sampling criteria for auditee selection will include size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR”. “You’re in the audit lottery”, McCrystal said.
