OCR’s Phase II Audit Program in Flux, But Covered Entities Still Need to Be Prepared, AIS Newsletter Reports
Atlantic Information Services, Inc. (AIS) - October 8, 2014 - Washington, DC

The HHS Office for Civil Rights (OCR) is preparing to launch OCR Phase II Audits, a permanent audit program for covered entities (CEs). But as AIS’s Report on Patient Privacy (RPP) learned at a HIPAA security conference held in late September, OCR is still dealing with funding constraints and finalizing the program, as reported in its October issue.

“We are hoping to implement Phase II soon,” Iliana Peters, OCR’s senior advisor for HIPAA compliance and enforcement, told the attendees during her closing presentation at the Sept. 23-24 conference co-hosted by HHS and the National Institute for Standards and Technology. “However, it depends on a lot of factors, including resources,” Peters said, joking that OCR might need to launch a Kickstarter campaign in order to fund it. Phase I, the pilot program, was completed more than a year ago.

When the program will begin, Peters said, hinges at least in part on the completion of some “technology” upgrades that will enable auditees to electronically submit data and documents directly to OCR, perhaps through a standardized template or portal. Beyond using the word “soon,” however, Peters did not specify when the program might commence or how many would be audited. A presentation slide with general time frames was said by Peters to be “out of date.”

In addition to not having technology in place, OCR also has not yet completed the “protocol” for Phase II, though Peters did not mention this. Aspects of the program that currently appear near finalization include the fact that most will be “desk” audits conducted by OCR staff. In the pilot, contractors visited CEs and conducted onsite reviews.

But, Peters emphasized, once Phase II begins, OCR will use it “as an enforcement tool” that, depending on what issues are discovered, may result in corrective actions. Peters said that even if no security breaches were reported, the agency would pursue an investigation if major compliance issues were found during the course of an OCR-initiated audit, and resulting actions could include settlements and monetary penalties. These, she said, are “never off the table.”

Visit http://aishealth.com/archive/hipaa1014-01 to read the article in its entirety, which also includes “Audit Phase 2 Expectations” from Peters’ presentation.

About Report on Patient Privacy
Report on Patient Privacy is the health industry’s #1 source of timely news and business strategies for safeguarding patient privacy and data security. Published for hospitals and other providers, health plans and other HIPAA-covered entities and business associates, the 12-page newsletter focuses on privacy issues that can result in huge fines, penalties and public relations nightmares, including: security breach notification; business associate relations and agreements; and new federal privacy rules for marketing, fundraising, privacy notices, minimum necessary, patient rights and safeguarding privacy in EHRs. Visit http://aishealth.com/marketplace/report-patient-privacy for more information.

About Atlantic Information Services
Atlantic Information Services, Inc. (AIS) is a publishing and information company that has been serving the health care industry for more than 25 years. It develops highly targeted news, data and strategic information for managers in hospitals, health plans, medical group practices, pharmaceutical companies and other health care organizations. AIS products include print and electronic newsletters, websites, looseleafs, books, strategic reports, databases, webinars and conferences. Learn more at http://AISHealth.com.

It's quick and easy to sign up for FREE access to AISHealth.com!

Why do I need to register?