INSIGHTS FOR HEALTH CARE 

MAY 24, 2016   
CONNECT

  
View our profile on LinkedIn Blogs Watch Us on YouTube Find us on Facebook Twitter

Eide Bailly Mobile

REGISTER TODAY!

June 14-15, 2016
Minneapolis, Minnesota 
 
WHO WE SERVE
ABOUT US

Eide Bailly is a top 25 CPA and business advisory firm with a national health care practice.

 

Health Care News Network (HCNN), is published on an as-needed basis to keep you informed of current news impacting health care organizations.
 

SHARE 
Privacy, Security and Breach Notifications: Is Your Organization Ready for HIPAA Phase 2 Audits?

By: Barb Pritchard 
 
Health care technology continues to expand and advance, and with that comes an increased risk of consumer privacy breaches. The HHS Office of Civil Rights (OCR) enforces the rules related to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). The OCR established a pilot auditing program in 2011.
 
In Phase 1 of the audit program, the OCR evaluated covered entities' HIPAA controls and processes surrounding Privacy, Security and Breach Notifications. The OCR then developed a protocol of review that was used to assess 115 covered entities.
 
Phase 2
Moving forward with Phase 2 of the audit program, which began in March, the OCR will be requesting information to validate the covered entities' organizational contact information. Once this is completed, the OCR will randomly request the completion of a pre-audit questionnaire. Failure to respond to the request will not exclude you from a possible audit, and your organization runs the risk of the OCR having incorrect contact information.
 
Organizations who are randomly selected for a Phase 2 audit will receive both an email and a letter requesting documents. The expectation is for the organization to respond within 10 days from the date of the letter.
 
As part of the Phase 2 audits, covered entities will also be requested to reveal listing and contact information about their business associate agreements. Additionally, the OCR will be evaluating business associates for their HIPAA practices. Both desk audits and onsite audits will be conducted.
 
The first round will be concentrated on the covered entities. The second round will include the business associates. The goals of the audits are to evaluate HIPAA compliance, drive best practices, and identify risk vulnerabilities based on process reviews and complaint investigations.
 
Results of the draft audits will be shared with the organizations.
 
Next Steps
  1. Does your organization have HIPAA policies and procedures?
  2. Are your HIPAA policies and procedures compliant with current regulations?
  3. Do you have a business associates agreement with people who view protected health information?
  4. Are your business associate agreements current?
Questions?
To learn more about how Eide Bailly can assist with evaluating your readiness for the Phase 2 Audit Program or with business associate agreement templates, contact your Eide Bailly professional

   

Barb Pritchard
Health Care Consulting Manager
701.239.8576
bpritchard@eidebailly.com 

This publication is produced and published by Eide Bailly and distributed with the understanding that the information contained does not constitute legal, accounting or other professional advice. It is not intended to be responsive to any individual situation or concerns as the contents of the publication are intended for general informational purposes only. Readers are urged not to act upon the information contained in this publication without first consulting competent legal, accounting or other professional advice regarding implications of a particular factual situation. Questions and information for publication can be submitted to your Eide Bailly representative. To request reprints of this publication, send a written request to RequestReprints@eidebailly.com.
© 2016 Eide Bailly LLP.