Five Tips for Surviving the Phase 2 HIPAA Audits

December 30, 2015
Asaf Cidon

Phase 2 HIPAA audits are coming up soon. Here are five tips on how they differ from Phase 1 and what you should know.

The long-delayed Phase 2 HIPAA audits are finally upon us. While this may inspire panic for some healthcare providers, it doesn’t have to, as long as you know what the auditors will be focusing on and how you should prepare.

Here are five areas that the Office for Civil Rights (OCR) will emphasize in this round of audits, how they differ from Phase 1, and tips to prepare for each of them:

1.Focus: Policies and procedures regarding security protocols, data breach notification, and privacy practices

How this differs from Phase 1: The Phase 1 audits were on-site audits that included interviews with auditors. Phase 2 audits are desk audits, meaning that paperwork is submitted to the OCR but no interviews are conducted. This means that policies and procedures must be clearly stated because there will be no opportunity for clarification.

How to prepare: Review all your existing policies related to security, data breach notification, protected health information (PHI) storage and transfer, and any other procedures. Update policies as necessary and ensure that they correspond with technology your business is using today (e.g., mobile devices or cloud storage providers). What’s more, you should be sure all employees are familiar with these policies and know how to follow them.

2. Focus: Business associates

How this differs from Phase 1: Phase 1 only required covered entities to demonstrate HIPAA compliance. Phase 2 will examine the compliance measures of each selected covered entity’s business associates - as defined by HIPAA’s Privacy Rule - as well.

How to prepare: Make a comprehensive list of all business associates your company works with who handle PHI. This may include attorneys, transcription services, translators, tech service providers, and others - you’ll be asked to provide this to the auditors. While you’re not responsible for your business associates’ compliance, if you find that one of your business associates is violating HIPAA, you are required to take steps to mitigate the violation and if that’s not possible, terminate the contract. If you don’t follow those steps, OCR can find you noncompliant with HIPAA as well. What it boils down to is that business associates can often be weak links in security, so it’s crucial to know who they are and how they’re handling your PHI.

3. Focus: Encryption

How this differs from Phase 1: Phase 2 is paying particular attention to areas of “heightened risk,” the high compliance failures from the Phase 1 audits. Encryption is arguably the most important of these to focus on, as it provides perhaps the biggest deterrent to data breaches.

How to prepare: Before you can properly protect your data, you need to know where it is located. The first step is to do a discovery audit to see where your sensitive data is being stored, accessed, and shared. From there, you can identify any information, including PHI, that your organization is not yet encrypting and deploy an encryption program. Once you know how your sensitive data is being stored and shared, ensure that encryption extends to those sources. Add a layer of file-level encryption to any files that are being stored or shared in the cloud, which will keep them protected on mobile devices and in transit.

4. Focus: Breach notification and incident response

How this differs from Phase 1: Breach notification and incident response are also areas of “heightened risk,” which organizations were deemed largely noncompliant in Phase 1.

How to prepare: Essentially, expect your organization to suffer a breach. No business is immune, and the odds of a data breach these days are high. Know exactly who will respond to a breach and how. Also, know how you will notify affected patients and shut down access to files or devices to minimize damage. Getting into the habit of maintaining an audit trail (which is a HIPAA requirement anyway) as well as reviewing it, is also a good idea. It can identify suspicious behavior before it develops into a full-fledged breach.

5. Focus: Clarity

How this is different from Phase 1: Because Phase 2 is honing in on specific areas flagged for follow-up, being as clear as possible across the organization is important. This means being clear for the auditors, but it also means clearly stating compliance requirements and procedures to employees and third parties.

How to prepare: Train employees on their specific roles in maintaining HIPAA compliance and be sure that the importance of compliance and security is emphasized. Educate employees on how information gets shared and how easily it can be intercepted, especially in the cloud or on mobile devices. Hire a third-party auditor to conduct a trial audit. See how you do and adjust accordingly.

Asaf Cidon is CEO and co-founder of Sookasa, a cloud security and encryption company that enables safe adoption of popular cloud services such as Dropbox and Google Drive to store sensitive information.