They have promised and promised and promised and now they are here. HIPAA Phase 2 has arrived. Phase 2 HIPAA audits will primarily be desk audits. The subject of the audits will be both covered entities and business associates.
Covered Entitles and Business Associates [referred to auditees by HHS] selected will be notified via email.
You better have your house in order, because entities selected must respond within 10 business days [2 weeks]. Auditee is to respond by uploading electronic documents to secure online portal. After an initial review of auditee’s responses, a drafting of the finding will be provided to the auditee and the auditee will have 10 business days to review and provide written comments to the draft findings. After the auditee’s response, the auditors will provide a final draft in 30 days. Auditee will be given a copy of the final report.
The goal of the audits [per HHS] is to determine what technical assistance is needed and what corrective action would be most helpful. Helpful and corrective action facially seems odd paired together. Be warned: ‘Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate.’
Contrary to the common path of the HIPAA, there will be no public announcements of who failed and who passed. OCR [Depart of Health and Human Services’ Office of Civil Rights] will not identify individual entity results. Individual entity results will be available via Freedom of Information Act [FOIA] request.