The Office of Civil Rights (OCR) has proposed to ramp up their Phase II HIPAA audits at some point in 2015. Unlike the initial pilot Phase I audits, the second round will require compliance from the chosen health care account, as well as be expanded to include their “Business Associates.” Business Associates being subcontractors of health care organizations that have business agreements with the selected entity.
These audits will affect between 550-800 covered entities and their associated business partners chosen at random through the National Provider Identifier database.
What will the OCR be looking for?
- Risk analysis and risk management policies
- Content and timeliness of breach notifications
- Notice of privacy practices
- Individual access
- Training procedures
- Device and media controls
- Transmission security (Encryption)
The OCR will use the Phase II Audit findings to identify technical assistance that it should develop for covered entities and business associates. In circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties.
If you are a health care organization or have a Business Agreement with a health care organization, this may be a good time to review your Network Security Liability coverage with your insurance agent.
Contact our knowledge brokers for more information!