On Monday, July 11, 2016, letters were delivered to those 167 organizations chosen for ‘Phase 2’ HIPAA audits. These audits . . . called ‘desk audits’ . . . will look at the selected organizations’ compliance with HIPAA Privacy, Security and Breach Notification Rules. The selected organizations needed to reply by July 22 and to follow a structured process after that. You can read detail about these audits on the OCR website. Be sure to scroll down a bit so you see the Phase 2 Audit Program Protocol.
According to OCR, these Desk Audits will cover specific aspects of compliance:
Requirements Selected for Desk Audit Review
Privacy Rule
Notice of Privacy Practices & Content Requirements [§164.520(a)(1) & (b)(1)]
Provision of Notice – Electronic Notice [§164.520(c)(3)]
Right to Access [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]
Breach Notification Rule
Timeliness of Notification [§164.404(b)]
Content of Notification [§164.404(c)(1)]
Security Rule
Security Management Process — Risk Analysis [§164.308(a)(1)(ii)(A)]
Security Management Process — Risk Management [§164.308(a)(1)(ii)(B)]
Starting in the Fall, Business Associates will be up for review.
I wonder if any SOS customers or readers of this blog have been selected for audit. If so, we hope you will share your experience.