Robert Godard
Listen to: "Tracking Compliance Through Phase 2 HIPAA Audit Programs"

HIPAA: From the Beginning to Phase 2

If you work as the CIO or IT manager for any type of healthcare office or facility, you have probably worked diligently along with your company’s human resources and legal teams to understand and implement the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Further, according to the U.S. Department of Health and Human Services (HHS), “the Health Information Technology for Economic and Clinical Health Act (HITECH) established breach notification requirements to provide greater transparency for individuals whose information may be at risk.” Together, HIPAA-HITECH addresses the ever-growing importance of technology in the various healthcare fields, and their creators wanted to “create a set of uniform electronic healthcare transaction codes” to protect the privacy of each patient’s health.

As a healthcare IT professional, you may find it hard to imagine the time before 1996, but at the time there was virtually no federal law regulating the privacy of health information, creating stress for patients who wanted some assurance of protection. Even though it takes effort and extensive collaboration, over the years HIPAA has made great strides to protect patients’ privacy, thus improving their experience and confidence that their medical records are kept strictly between them and their healthcare provider.

Maintaining and complying with HIPAA Privacy Rule’s policies serves to help protect your company’s collected, stored, processed and transmitted data. Over the years, HIPAA has undergone many changes to reflect changing technology and relevant social standards, such as HIPAA Security Rule. Finally becoming fully active in 2005, HIPAA has sparked a gamut of reactions from those affected, including skepticism, confusion and angst. Critics worried about the sheer glut of information and wondered how busy healthcare facilities might keep up with the requirements of such a tome and its contents.

Professionals throughout the medical industry, including compliance officers and IT directors have found and created ways, including hiring third-party auditing teams, to help process, address and adhere to all HIPAA policies to protect the privacy of patients.

Phase 2 HIPAA Audits

What Is the Phase 2 HIPAA Audit Program?

In July 2014, the Office for Civil Rights (OCR) announced the introduction and implementation of the Phase 2 audit program to detect needed changes to HIPAA for public release in 2016. The OCR has taken, and continues to take, great pains to accumulate concrete data to understand the changes needed for HIPAA to meet modern standards of technology and privacy, as well as determining reasonable ways to create and implement those changes in the most expedient and efficient ways possible.

What Are Some of the Resources the OCR Has Used to Collected Key Pieces of HIPAA-Related for Phase 2?

The OCR has drawn their own data on this large-scale project from a number of resources in order to compile a comprehensive and meaningful list of potentially necessary changes, additions and adaptations. Explore some of the resources that the OCR used to collect important data that may ultimately serve to improve efforts to protect medical and dental patients’ privacy.

  • The OCR Has Reached Out to Affected Parties. Since the implementation of the Phase 2 audit program, the OCR has reached out to covered entities and business associates. The intention of this pilot audit program was to “assess the controls and processes implemented by 115 covered entities to comply with HIPAA’s requirements,” according to the HHS.
  • The HIPAA Phase 2 Audit Program. The uses the audit program to focus on the entities that need to adhere to HIPAA’s policies to determine overall compliance efforts among this wide range of business entities. The audits have offered the OCR a wealth of useful information that has helped drive the direction of changes. The audit program helped to assess compliance efforts among a large pool of business entities, identify best practices, examine new mechanisms for better compliance, and electronic risks and vulnerabilities that might endanger the privacy of patients. The audit program illuminate issues that survey candidates might not have mentioned in interviews and surveys
  • The Covered Entities’ and Business Associates’ Response Time to Repeat the Process. Once the OCR has collected the results of surveys and the audit and covered entities have a certain period of time — often approximately 10 days — to respond to the OCR’s notification and provide a response. Failure to respond to the OCR may escalate the process from the entity’s ability to perform a remote desk audit to undergoing an onsite audit. The data that the OCR receives through each round of data collection and audits becomes a tool to help healthcare business entities tighten up their HIPAA compliance efforts to achieve better results for their patients’ privacy. The OCR periodically repeats this process to streamline the process and continue to collect data on issues that may need permanent changes to fit within Phase 2.
  • What Are Covered Entities?

    It might help you to know more about covered entities, which HIPAA defines as follows:

    • Health plans, including individual and group plans
    • Healthcare clearinghouses
    • Healthcare providers that transmit patient data electronically

    How Can You and Your IT Team Prepare for HIPAA Phase 2 Audits?

    • Whether you have already worked with the OCR, or you plan to in the future, consider some of the following preparations, as well as several others, you can make to help the process move along more smoothly.
    • Post all HIPAA-related materials in break rooms, lobbies and any other spots where staff can easily review them regularly.
    • Verify that your offices Notice of Privacy Practices is up-to-date.
    • Document all staff training to reinforce HIPAA policies.
    • Amend plan documents to reflect HIPAA-required provisions.
    • Test your computer system to detect risks and deficiencies so you can correct them quickly and completely. Document any incidents and your course of action to resolve the issue.

    Work Toward the Final Version of the HIPAA Phase 2 Audit Program With Ease and Confidence

    While the HIPAA Phase 2 audit program started in 2014 and had an initial launch date in 2015, you aren’t alone if you find the idea of this undertaking complex. The OCR has committed to performing this arduous task, along with covered entities and business associates, to better serve the privacy of all patients. If you feel daunted preparing for your upcoming desk audit, we can help you. Our compliance experts at I.S. Partners, LLC understand all facets of Phase 2 and look forward to helping you reach a better understanding to fulfill your HIPAA policy requirements as soon as possible. Contact us to discuss the complexities of this process and what we can do to help your organization.

About The Author

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the fields below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.


Great companies think alike!

Join hundreds of other companies that trust I.S Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal