Skip to main content
Free Billing Consultation
Back to Blog

HIPAA Phase 2 audits are on the way – is your medical practice ready?

January 7, 2016
by Simon Hughes
Dot grid in the shape of the USA with many highlighted dots.

HIPAA_phase_2.jpgThe word is finally out from the Office of Civil Rights (OCR) that, following recommendations of stronger HIPAA oversight of the Privacy, Security and Breach Notification Rules, it will begin the second phase of compliance audits early in 2016. While the exact dates are still unknown, no further delays are expected, according to OCR Director Jocelyn Samuels. This time around, not only covered entities but their business associates, such as software and other vendors, are targeted for compliance.

The Department of Human Services Office of Inspector General (OIG) criticized the numerous OCR inconsistencies of enforcement of existing HIPAA violations, noting that in the absence of a stronger audit program for compliance identification and enforcement, the OCR will be unable to correctly identify those entities and their Business Associates which are non compliant.

Among the OIG’s recommendations for improvement in OCR programs:

  • Create and completely implement a permanent auditing program
  • Improve the documentation of corrective actions required
  • Develop policies requiring OCR staffers to check to see whether any covered entities have been investigated previously
  • Improve system efficiency in searching for and tracking covered cases
  • Expand education and outreach programs for covered entities

What will the expanded audit program be looking for?

  • Business associates of covered entities will be subject to the same privacy security safeguards as the entities themselves.
  • While the number of audits will increase, the Phase 2 audits are expected to consist of more “desk reviews” rather than the actual site visits of previous phases. In addition to previously identified areas of noncompliance from the first phase, these reviews will be checking documents and will attempt to identify whether the covered entities understand and actively utilize the HIPAA Rules.
  • Thanks to expected OCR improvements in documenting and tracking cases, previous violators and others seemed to have system compliance issues can probably expect an on-site visit from auditors.
  • Current estimates by the OCR put the expected number of audits at around 400; the actual number of audits will depend on budgetary constraints which are not expected to improve over the next few months. Consequently, enforcement of identified HIPAA violations will likely remain restricted.
  • Following the end of the pilot audits, HIPAA-covered entities have already had three years to update their safeguards to security and privacy. Any current violations of HIPAA regulations will therefore be viewed by the OCR as wilful neglect and can result in heavy fines levied against the violators. This does not bode well for those practices and other entities which have just recently become HIPAA-compliant, as they can expect to be held accountable for any past data breaches or other failures to protect patient privacy.

HIPAA Omnibus Rule Risk Analysis Explained

How can organizations prepare for the coming audits?

For those newly-compliant, be aware that you may be held liable for previous lapses in data security. That said, regardless of past compliance status, organizations and their business associates should lose no time ensuring that the required HIPAA documentation procedures are in place and correctly applied. Because time is of the essence it is critical to quickly identify and address any gaps in compliance before the auditors find them.

If your practice or organization is uncertain about how to proceed or what to look for in determining HIPAA compliance, consider using the services of an experienced medical practice management company.  M-Scribe Technologies, LLC, has been helping practices regardless of specialty or size with their audit compliance as well as billing, coding and revenue management since 2003.

Contact M-Scribe’s experienced consultants at info@m-scribe.com or call 888-727-4264 for a free analysis of your practice’s needs and learn how our experienced and dedicated staff can help ensure that your organization is fully compliant with all HIPAA Privacy, Security and Breach Notification Rules.

{{cta(‘677eb645-eebd-4c45-a37d-e84cc5d3e4a7’)}}

More Insights & Posts

April 17, 2024

2025 IPPS Proposed Rule: Highlights for Hospitals

On April 10, 2024, the Centers for Medicare and Medicaid Services (CMS) issued the fiscal year (FY) 2025 Medicare hospital inpatient prospective payment system (IPPS) proposed rule. While these provisions are not final, they do give current insight into the agency’s thinking in terms of a host of issues concerning the inpatient hospital setting, including […]

Read More
April 15, 2024

Virtual Visits: Providers Grapple with Telehealth Issues

We’ve come a long way since the days when the milkman would make his deliveries at the door and the doctor would make house calls, black bag in hand. Now, we order our goods online and we can even see our healthcare professional via the latest telecommunications technology. Americans love convenience, and it is certainly […]

Read More
April 15, 2024

Aetna to Stop Physical Status Payments

According to an April bulletin published by Aetna, the payer will no longer reimburse additional unit value(s) for anesthesia physical status (PS) modifiers, effective July 15, 2024. Aetna gave as a reason for the decision its desire to align with similar Medicare guidelines. It should be noted that this change will only affect Aetna’s commercial […]

Read More

Get the Latest RCM News Delivered

Receive practical tips on medical billing and breaking news on RCM in your inbox.

Get in Touch