Technology Blog »

HHS OCR Announces 2016 Phase 2 HIPAA Audits

how to help prevent a hipaa audit
HIPAA Audit Notice

Over the last few weeks, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released notices to Covered Entities and the Business Associates that they work with on a NEW 2016 Phase 2 HIPAA Audit Program.  The announced Audit Program covers some new HIPAA Privacy, Security and Breach federal rules.

HHS OCR has sent notifications to Covered Entities regarding the request for a HIPAA Desk Audit that will request a list of their Business Associates.

The HIPAA Desk Audit will NOW include a requirement to send a list of their Business Associates to the OCR.

First Things First, What is a Covered Entity? 

If you are reading this it may be you!  Any Health care providers, health care clearinghouse, health plan and health care individual service provider who transmit or store health information electronically. 

What is a Business Associate? 

A business associate is any individual or company that supports the covered entities or comes in contact with Electronic Patient Health Information (ePHI) managed by the covered entity.   This means your IT provider, maybe a software vendor, possibly your accountant or lawyer.. 

You may want to pay special attention to sub-contractors you are using to augment your salaried work-force.

Did you know that your BA's need to be HIPAA compliant?

What is required during the OCR HIPAA Desk Audit this year?

Once you receive an Audit request from the OCR you are required to respond within 10 Days.

Your response will include your compliance to Policies, Procedure and Evidence. 

A list of all of your business associates contact information will be required to send them.

There is value in conducting these HIPAA Assessments. 

Lack of HIPAA risk assessment can lead to very expense data breaches. In a recent IBM report stated that Healthcare data breached have reached a loss of $402 per record between Breach Notifications, Penalties and Lost Business.  In a breach of 10,000 records can lead to a $4,020,000 in losses.  A example of this can be found in the recent news when the OCR fined a Business Associate for $650,000 from the theft of an unencrypted SmartPhone, click here on the details of the case http://goo.gl/JDl291

What can you do NOW?

The first step is to conduct a HIPAA Risk Assessment and gap analysis to see where you are lacking with your compliance program. 

DCS can assist you with your HIPAA Compliance by leveraging our HIPAA Risk Assessment to be ready when HHS comes calling and also to prevent future data breaches.

For a limited time, DCS has special pricing for $2999 a year to assist you in complying with these new HIPAA regulations. These services include the following:

  • HIPAA RIsk Assessment
  • HIPAA Data Collection Scans
  • HIPAA Policies and Procedures
  • Evidence of HIPAA Policy Compliance
  • HIPAA RIsk Analysis and Management Plan
  • HIPAA technical security exception reporting

Remember internal self assessment may not catch all the critical items can will result in expensive fines and possible non compliance.