With the second phase of HIPAA audits underway every covered entity and business associate is eligible for an audit. However, the OCR will not be auditing those entities that currently have an open complaint investigation or are undergoing compliance review. These audits will evaluate organization's compliance with HIPAA security, privacy, and breach notification rules.
- Any organization required to comply with HIPAA standards should ask itself the following questions to determine its adherence to compliance regulations:
- Does my business have written policies and protocols in place to address HIPAA standards?
- Is my business performing and documenting regular risk assessments?
- Does my business have an established data security policy?
- Does my business have a BYOD security and use policy?
- Are the business associates affiliated with my organization HIPAA compliant?
- Does my business have an effective incident response plan to handle a breach if it occurs?
- Are my employees required to complete regular HIPAA training programs?
The OCR’s audit will gather information that will be used to identify best practices and proactively address risks to PHI as well as raise industry awareness of compliance standards. OCR will use the data collected to create tools and guidelines to better the industry’s ability to self-evaluate and aid in preventing breaches. These phase 2 audits will also be used to develop a permanent audit program.