Are you Ready for Phase 2 HIPAA Audits?

The Office for Civil Rights (OCR) is expected to begin Phase 2 of its HIPAA audits in January 2016.  The audits will include both Covered Entities and Business Associates of Covered Entities.  The audit protocol focuses on Privacy Rule requirements, Security Rule requirements for administrative, physical, and technical safeguards, and Breach Notification Rule requirements.  If you are a Covered Entity or a Business Associate of a Covered Entity, now is the time to review your privacy and security policies and procedures to ensure that you will be prepared if you are selected for an audit by the OCR.

Covered Entities

Do you have comprehensive written HIPAA policies and procedures in place to deal with Protected Health Information (“PHI”)?

Do they include written security policies and procedures to deal with electronic PHI (ePHI), i.e., PHI transmitted by electronic media or maintained in electronic media?

Do you have Business Associate Agreements with all of your Business Associates?

Have your Business Associate Agreements been updated to include the requirements of the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), which was enacted as part of the American Recovery and Reinvestment Act of 2009 (“ARRA”)?

Have you conducted a comprehensive risk assessment to identify potential weaknesses in privacy and security safeguards, taken steps to mitigate those weaknesses, and revised your HIPAA policies and procedures to reflect those steps?

Have you implemented a risk management program which includes an assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI?

Business Associates

Do you understand your responsibilities under the Privacy Rule and the Security Rule?

Do you have written policies and procedures in place to deal with PHI?

Do they include written security policies and procedures to deal with ePHI, i.e., PHI transmitted by electronic media or maintained in electronic media?

Do you have written agreements with subcontractors to ensure that they comply with the Privacy Rule and the Security Rule?

Have you conducted a comprehensive risk assessment to identify potential weaknesses in privacy and security safeguards, taken steps to mitigate those weaknesses, and revised your HIPAA policies and procedures to reflect those steps?

Have you implemented a risk management program which includes an assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI?

Among other things, Covered Entities and their Business Associates need to implement device and media control policies to ensure proper encryption of mobile devices and electronic media containing ePHI if they are taken into and out of facilities.  Last month, the OCR reported that a radiation oncology private physician practice paid $750,000 to settle potential violations of HIPAA after a laptop bag was stolen from an employee’s car.  The bag contained the employee’s computer and unencrypted backup media containing ePHI.  The practice had not conducted an enterprise-wide risk analysis and did not have written policies related to the removal of ePHI into and out of its facilities.

Zapol

If you have any questions concerning HIPAA or would like assistance in updating your HIPAA policies and procedures, please contact Rochelle H. Zapol, a partner in Prince Lobel’s Health Care Practice and the author of this alert. You can reach Rochelle at 617 456 8036 or rzapol@PrinceLobel.com.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s