2016 HIPAA Audits Part 10: OCR Phase 2 - Is HIPAA Coming For You?
by Donna Koger, 12.7.16
As most of you already know, on March 21, 2016, OCR announced "Phase 2" of its audit program. Some providers have already received emails asking for updated contact information so OCR can effectively communicate with the entities selected for an audit.
Failure to respond will not protect you from being included in the audit program, so it is important to check email spam filters to make sure that an email has not been held up in delivery.
OCR intends to audit a broad spectrum of covered entities and business associates of various sizes, types and locations. However, OCR will not include entities with an open complaint investigation or compliance review. And, even though more stringent state laws that are contrary to HIPAA preempt HIPAA's provisions, OCR has indicated that its audit program will not consider state-specific privacy and security rules.
Covered entities will be asked to provide to OCR a list of business associates, who then could become potential audit targets. The best thing to do is prepare a list now of your business associates, their service(s) and contact information. OCR has published a list of 27 elements for each business associate.
Required Elements for Each Business Associate:
1. Business Associate Name
2. Type of Service(s) provided
3. First Point of Contact Title
4. First Point of Contact First Name
5. First Point of Contact Last Name
6. First Point of Contact Address
7. First Point of Contact Address Continued (if needed)
8. First Point of Contact City
9. First Point of Contact State
10. First Point of Contact Zip
11. First Point of Contact Phone
12. First Point of Contact Phone Extension (if needed)
13. First Point of Contact Fax
14. First point of Contact Email
15. Second Point of Contact Title
16. Second Point of Contact First Name
17. Second Point of Contact Last Name
18. Second Point of Contact Address
19. Second Point of Contact Address Continued (if needed)
20. Second Point of Contact City
21. Second Point of Contact State
22. Second Point of Contact Zip
23. Second Point of Contact Phone
24. Second Point of Contact Phone Extension (if needed)
25. Second Point of Contact Fax
26. Second point of Contact Email
27. Website URL
Covered entities and business associates will have only 10 business days to respond to audit requests. A final audit report will be completed within 30 business days after the auditee responds. Depending on the results of the audit, OCR may initiate a compliance review which could lead to enforcement action.
If you have conducted a Security Risk Analysis that includes a section on Disaster Recovery, you should already have prepared a list such as the one above. If not, you should begin that process ASAP in case of an audit. See The Audits Are Coming! The Audits Are Coming! for more details.
Find more complimentary resources in our HIPAA Resource Center.
Part 1: What's on the Horizon?
Part 2: Into the Breach
Part 3: PHI Identifiers
Part 4: 10 Steps to Compliance
Part 5: Where's Your PHI Data?
Part 6: HIPAA Crash
Part 7: 5 Steps to Take After a Data Breach
Part 8: All About the BAA
Part 9: The Audits Are Coming! The Audits Are Coming!
Donna Koger is currently the HIPAA Compliance Officer and materials developer for software training and support at Smoky Mountain Information Systems, home of PIMSY EHR. Ms. Koger is also a regular contributor to the PIMSY EHR Blog.