Phase 2 HIPAA Audits are targeting random health care practices and organizations around the country. Having an effective HIPAA compliance program is the easiest way to pass your audit–read on to find out what you can to protect your behavioral health practice!
Upcoming Phase 2 Audit Protocols
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) first announced this new round of random audits in 2016. Phase 2 is the second time in OCR’s history that it has instituted a random audit program. Phase 1 HIPAA Audits were rolled out in 2011 and affected a similar number of health care providers across the country.
OCR has designed these Phase 2 audits to target a broad selection of HIPAA-beholden health care organizations. That includes both Covered Entities (CEs) and Business Associates (BAs).
HIPAA defines a Covered Entity is any health care provider, including Behavioral Health specialists, who create protected health information (PHI). PHI is any health data that can be used to identify a patient (including name, date of birth, social security number, address, medical data, etc.). HIPAA defines a Business Associate as any organization that encounters PHI over the course of the work it has been hired to do (examples include billing firms, cloud storage providers, faxing, shredding, copying, and IT providers, to name a few).
So how do you know if your behavioral health organization has been selected for a Phase 2 HIPAA audit?
OCR will reach out to your organization via email if you have been randomly selected for an audit. You should look out for emails from “OSOCRAudit@hhs.gov“.
Once you’ve been contacted for an audit, you will have 10 days to respond to OCR’s request for information. If your organization does not respond for any reason, federal investigators will continue to contact your organization until they receive a response–this includes finding publically available information to call or contact you.
One of the first things federal investigators will ask for is a complete list of your organization’s business associates, with contact information for each. Identify your business associates now so that you’re prepared for these upcoming HIPAA audits.
Additionally, your organization must have a HIPAA compliance program in place with full documentation that can be provided for OCR investigators.
Desk Audits vs. Onsite Audits
Phase 2 HIPAA Audits consist of a number of different stages.
The first stage is desk audits, which are a series of remote audits. OCR investigators will contact your organization via email and you’ll be prompted to send the appropriate information. Investigators will not come to your physical location, but you’ll still be required to comply with the investigation.
Onsite audits are another means of investigation that OCR is set to pursue in 2017. Onsite Phase 2 HIPAA Audits will require federal OCR investigators to come onsite to inspect your organization. They will be checking your level of compliance with HIPAA regulation.
Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with The Guard™. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance.
Compliancy Group’s team of expert Compliance Coaches™ field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation, including fully automated documentation of policies, procedures, employee training, and remediation plans. The Guard includes policies and procedures that are uniquely tailored to the needs of your organization so you’ll never have to worry about the headaches that come with generic policy binders again.
With The Guard, behavioral health professionals can focus on running their practice while keeping their patients’ data protected and secure.
For more information about what you can do to protect your behavioral health practice, see these upcoming HIPAA educational webinars.
Find out more about how Compliancy Group and the HIPAA Seal of Compliance can help simplify your HIPAA compliance today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.