A random audit program to gauge Phase 2 HIPAA compliance is expected to be underway soon. This round will target business associates, including financial institutions that are typically exempted from HIPAA compliance when they provide what are considered to be typical banking services such as payment processing and credit/loans. But financial institutions that “create, receive, maintain, or transmit” protected health information may now have direct obligations under HIPAA.

This round will include both on-site and off-site reviews.

Off-Site Audits

Off-site audits focus on documentation reviews. These audits typically focus on one of the three main HIPAA provisions – breach notification, security, and data privacy protocols. Documentation cannot be created after you receive the audit request, so review your policies and procedural documents to ensure they are current and comprehensive.

Your documentation should cover the scope of your HIPAA compliance program and demonstrate how you have updated your policies and practices in response to the HIPAA Omnibus rule implemented in 2013.

On-Site Audits

On-site audits tend to involve a more in-depth investigation. Federal investigators will review documentation here too, but may also ask staff about how policies are actually implemented on a day-to-day basis. It’s not enough to be perfectly compliant on paper; you will also have to demonstrate consistent implementation. Do make sure that everyone on staff understands and implements your data privacy and protection policies. On-site audits are expected to be conducted throughout 2015 and into 2016.

What to Expect Off and On-Site

The Round 2 audits will likely focus on looking at the maturity of HIPAA compliance. Auditors will likely look at how a covered entity has remediated issues that surfaced in previous security risk analyses, as well as how they responded to the HIPAA Omnibus rule.

Areas that are likely to get special attention are an entity’s access and security breach management processes, audit controls, and processes for securing data in transit, data retention, and data destruction.

Obviously, you don’t want to focus your compliance efforts solely on what auditors are expected to look at – your audit team may surprise you.  You may want to bring in a third-party vendor who can conduct a compliance gap analysis, review your processes, and give you an impartial view of your compliance profile.

Business Associates

Audits now include, for the first time, checks on “business associates,”[MD1]  any entity or person that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity. Ensure that you have a list of your business associates, and documentation of each business associate’s compliance with HIPAA regulations.

About 300-400 business associates will be subject to audits this year, and investigators will likely be gauging their risk analysis and risk management programs, as well as their breach reporting processes.

Organizations that need help in assessing their data security profiles can reply on BAI’s IT Security Assessment, Compliance Audits, and Risk Assessment Review services. BAI Security’s IT Security Assessment consists of a comprehensive evaluation of key technologies, systems, and personnel within an organization to identify vulnerabilities that can lead to a compromise of data assets and/or intellectual property. This approach has a more fundamental focus on identifying real-world security weaknesses, rather than just conforming to minimum compliance requirements.