Blog Post

You could still be picked for a Phase 2 HIPAA Audit. Here's how to be prepared.

March 1, 2017

    Health care organizations are the stewards of their patients' protected health information (PHI); they must fend off negligent and malicious insiders as well as guard against a rash of external cyberattacks aimed at breaching their systems' environment.

    To safeguard patient data, the HHS Office for Civil Rights (OCR)—which is charged with enforcing HIPAA Privacy, Security and Breach Notifications Rules—has moved into its next stage of audits of covered entities and business associates, known as the Phase 2 HIPAA Audit Program. According to the OCR, the most common violations are around:

    • Non-existent business associate agreements (BAAs);
    • Incomplete or not remedied  risk assessments;
    • Lack of encryption for data at rest and in flight;
    • Unpatched software;
    • Incomplete or inadequate policies and procedures for access control;
    • Improper disposal of data; and
    • Incomplete or inadequate disaster recovery.

    While covered entities selected for a HIPAA Phase 2 audit were notified by July 11, 2016, don't assume you are in clear because you didn't receive a notification—your organization may be subject to an audit if you are a business associate of a covered entity that is currently being audited.

    Make sure your business associate agreement is in compliance

    The OCR is looking closely at BAAs. Whether you're a covered entity or part of the digital supply chain as a business associate, there are several operational issues that need to be clarified in advance within your BAA to be in compliance. Some of them include:

    • Patient record responsibility: Establish which entity will indemnify whom in the event of a breach.
    • Lifecycle terms: Identify when data is exchanged, what the limitations on use are, and any disposal requirements.
    • Notification responsibility and provisioning/de-provisioning: Decide if access should be revoked when a legitimate user's role changes due to staffing changes, and establish a service-level agreement around who allows access to whom.
    • Policies: Discuss additions to policy such as minimum required protections, identity and access policies, and password standards.

    It is increasingly important for health care organizations to shift from an "if" mindset to a "when" mindset on the possibility of a breach. The key to preparation is to discuss and determine several of the decisions that must be made in the event of a breach before it occurs. Consider documenting these decisions and expectations within your BAA or at least within a Memorandum of Understanding with your digital trading partners:

    • Notification responsibility: Decide which entity notifies compromised parties, regulatory authorities, and the media.
    • Approval authority: Document if a specific entity should approve notifications.
    • Cost: Determine which entity should financially assume responsibility for all notifications, and cover costs for remediation (e.g., identity theft monitoring).
    • Forensics: Decide which entity has the right to conduct, and review results.
    • Coverage: Outline which entity's insurance covers what.

    Have a Question?


    Ask our experts a question on any topic in health care by visiting our member portal, AskAdvisory.