Are You Ready For HIPAA Stage 2 Audits?

Back in 2012, the Office of Civil Rights implemented a HIPAA Audit pilot program mandated by HITECH, the legislation that also created the Meaningful Use Program. The audit program was considered a “pilot,” and while the audit processes were not limited in scope–generally involving 5 days onsite at target organizations–they were limited in reach, targeting merely 115 organizations.

The findings of the pilot program were included in the current program and are worth mentioning:

• 98%, or 58 out of 59, health care providers audited had at least one negative finding regarding Security Rule compliance.
• 60% of the findings and observations involved failure to follow the Security Rule.
• Providers, as opposed to health plans and hospitals, accounted for 65% of the findings while only comprising 53% of audit targets.
• Small practices struggled with all aspects of compliance: Privacy, Security and Breach.
• 47 of 59 providers had a missing or inadequate risk assessment, while 20 out of 35 health plans and 2 out of 7 clearinghouses had missing or inadequate risk assessments.
• The audits identified the cause of failures and the most common cause cited was “entity unaware of the requirement.”

This pilot program was the precursor to the recently initiated Stage 2 audits. The protocol for Stage 2 audits have been published and can be found here.

Organizations targeted for an audit will have 10 days to upload requested documents and reply to questions. The audit has more than 1300 elements (questions, document requests, etc.) covering Privacy, Security and Breach.

Are you ready? Before answering that, ask yourself:

1. Has your medical organization or practice created a process for assessing your current and future business relationships to determine whether each relationship is with a "business associate" as that term is defined under the HIPAA Rules, and requires your organization to enter into a business associate agreement?
2. Has your medical organization or practice created a process for maintaining documentation of a business associate agreement for at least six years beyond the date of when the business associate relationship terminated?
3. Does your medical organization or practice limit disclosure of PHI to business associates to minimum the necessary amount of PHI that is reasonable necessary for business associates to perform their duties?
4. Does your medical organization or practice create written job descriptions that correlate with the appropriate levels of access?
5. Has a qualified person conducted a HIPAA-required security risk assessment within the last year, and has that person documented the results?

If you answered “no” to any of these questions, your organization could be at risk.

For more details on this topic, watch our recent webinar on-demand, OCR (HIPAA Stage 2) Audits: What to Expect and How to Prepare, featuring Steve Spearman and Michelle Richards.