Preparing for Phase 2 HIPAA Audits: It’s All About the Documentation

Hospital Industry Viewpoint

February 17, 2015

The launch of Phase 2 HIPAA audits is imminent. Although any individual hospital has only a small chance of getting audited, preparation helps protect a hospital if it is ever investigated for potential HIPAA violations. In large part, that preparation should focus on ensuring that the documentation of compliance is complete and without deficiencies.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) will soon begin a second phase of audits of covered entities and business associates evaluating compliance with the HIPAA privacy, security, and breach notification rules. OCR recently announced a slight pause before commencing the audits and a shift in focus, which makes this a perfect time for a hospital to perform a HIPAA compliance check-up to ensure that it is ready if selected for a Phase 2 audit.

In September 2014, OCR announced that it was delaying the Phase 2 audits while it works to roll out a Web portal through which covered entities can submit audit data. At a recent conference, OCR Senior Advisor Linda Sanches said, “I’m ready to go, but our technology isn’t quite there yet.” In January 2015, OCR Director Jocelyn Samuels said Phase 2 audits would be “implemented expeditiously” and urged covered entities to keep checking the OCR website for additional information in the coming weeks and months. The random pool of covered entities to be audited has been selected, but as of this writing, we are not aware of any notifications that have been sent.

In preparing for a Phase 2 audit, a focus on HIPAA Security Rule standards is advisable. In the Phase 1 audits conducted during 2011 and 2012, security accounted for 60% of OCR’s findings and observations. A hospital’s check-up for a Phase 2 audit should include the following as priority tasks:

  • Confirm that all action items reflected in a security risk analysis have been completed or are on a reasonable schedule for completion
  • If the hospital has chosen not to implement any of the Security Rule’s addressable implementation standards, then clear documentation should be available explaining and justifying the decision
  • Ensure that HIPAA policies and procedures have been approved, implemented, and updated on a regular basis, which is an indicator of an active HIPAA compliance program
  • Implement a comprehensive breach response plan that reflects the new risk-assessment standard provided in the HIPAA Final Rule

The Phase 2 audits will primarily be desk audits that focus on documents only, without on-site auditing. Therefore, proper documentation is particularly critical. Even the failure to sign a policy prior to the date of an audit request may create a presumption of noncompliance.

Given the relatively small sample size (perhaps as small as 200 organizations, including business associates), the chances that a particular hospital will be selected for audit are fairly low. However, preparing for an audit will help a hospital avoid sanctions in the event of an OCR investigation—which could be triggered by any breach or patient complaint reported to OCR.

Reece Hirsch

Andrew Ruskin
Albert W. Shay