Many organizations probably didn’t even realize that OCR (HHS’ department in charge of HIPAA) had put in place HIPAA audits since the pilot program only audited 115 covered entities. That’s likely to change for a lot more healthcare organizations (including business associates) as Stage 2 HIPAA Audits are rolled out. Is your organization ready for a HIPAA Audit?
After spending about 2 months scouring the Stage 2 HIPAA Audit prototol, HIPAA One put together a great comparison of the simplicity of stage 1 HIPAA audits versus stage 2 HIPAA audits:
What it was – Phase 1 of the OCR’s Privacy, Security and Breach Notification Audit Program:
- HITECH added Breach Notification to HIPAA and endorsed the OCR‘s Audit Program.
- Contained 169 total protocols.
- Pilot program included 115 covered entities.
What it is now – the HIPAA Audit Program-Phase 2:
- OCR is implementing Phase 2 to include both CEs and business associates (every covered entity and business associate is eligible for an audit)
- Provides an opportunity for the OCR to identify best practices, risks and issues before they result in bigger problems (e.g. resulting in a breach) through the expanded random audit program.
- 180 Enhanced protocols (groups of instructions) which contain the following updates:
- Privacy – 708 updates (individual lines of instructions)
- Most notable changes are more policies and procedures surrounding the HIPAA Privacy Officer as well as some changes for Health Plans and Business Associates.
- Security – 880 updates (individual lines of instructions)
- Most notable changes are that Health Plans must have assurances from their plan sponsors and all companies now have to get proof of HIPAA compliance from their business associates, vendors and subcontractors.
That’s a lot of changes that are going to impact a lot of organizations. How many organizations have spent the time seeing which of these changes are going to impact their organization? I’m sure the answer to that is not many since “ignorance is bliss” is the mantra of many healthcare organizations when it comes to HIPAA compliance.
Particularly interesting is that HIPAA One points out that many of the checklists, books, commercial compliance software, and even ONC’s own SRA tool are likely outdated for these new changes to the HIPAA audit protocol. They’re probably right, so make sure whatever tool you’re using to do a HIPAA SRA takes into account the new HIPAA audit protocol.
Just so we’re clear, there actually hasn’t been a change to the HIPAA Omnibus update in 2013. However, the HIPAA audit protocol clarifies how the HIPAA law will be interpreted during an audit. That means that many of the gray areas in the law have been clarified through the audit protocol.
In HIPAA One’s blog post, they outline some important next steps for healthcare organizations. I won’t replicate it here, but go and check it out if you’re a HIPAA compliance officer for your organization or forward it to your HIPAA compliance officer if you’re not. The first suggestion is a really key one since you want to make sure you’re getting your HIPAA audit emails from OCR.
It’s taken HHS and OCR a while to roll out the full HIPAA audit program. However, it’s fully functioning now and I expect 2016 will be a real wake-up call for many organizations that aren’t prepared for a HIPAA audit. Plus, many others will be woken up when their friends fail their HIPAA audit.
Is your organization ready for a HIPAA audit?
Full Disclosure: HIPAA One is an advertiser on Healthcare Scene.