According to a July 12, 2016 OCR announcement, the Phase Two of OCR's HIPAA audit program, "has officially kicked into high gear." If you were a covered entity selected for the desk audit portion of the audit program, you should have received a letter by email Monday, July 11, 2016.
167 entities, including health plans, health care providers and health care clearinghouses received letters. According to the announcement, the desk audits will examine the selected entities' compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules.
Requirements Selected for Desk Audit Review
If you are one of the lucky recipients of a desk audit documentation request you will have 10 business days, until July 22, 2016, to respond to the document requests. Desk audits of business associates will follow this fall. According to OCR, the Requirements Selected for Desk Audit Review, include the following:
Privacy Rule
- Notice of Privacy Practices & Content Requirements [164.520(a)(1) & (b)(1)]
- Provision of Notice Electronic Notice [164.520(c)(3)]
- Right to Access [164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]
Breach Notification Review
- Timeliness of Notification [164.404(b)]
- Content of Notification [164.404(c)(1)]
Security Rule
- Security Management Process Risk Analysis [164.308(a)(1)(ii)(A)]
- Security Management Process Risk Management [164.308(a)(1)(ii)(B)]
How we can help?
If you are one of the primary contacts for a covered entity, we highly recommend checking your email. Double check your spam folder to make sure email that may have been sent from [email protected] did not get marked as "spam" or "junk." If you did receive an email providing instructions for responding to the desk audit document request, or have any questions about this process please do not hesitate to contact us! We can help you throughout the process.