OCR Launches Phase 2 HIPAA Audits for Covered Entities and Business Associates: Are You Ready?

On Mar. 21, 2016, OCR announced it officially launched its much-anticipated Phase 2 HIPAA audit program. This announcement comes on the heels of multi-million dollar settlements with Minnesota and New York healthcare organizations, respectively, thereby demonstrating OCR’s emphasis on HIPAA enforcement.

OCR will conduct both desk audits as well as on-site reviews of both covered entities and business associates. Desk audits are to be completed by Dec. 2016. Noncompliance with the HIPAA standards or failure to fully cooperate in the audits could result in the imposition of civil monetary penalties.

Healthcare counsel and privacy and security professionals must understand the scope and process for the Phase 2 audits to fully prepare covered entity and business associate clients for an audit. They should also guide clients in identifying and eliminating gaps in HIPAA compliance.

Listen as our authoritative panel of healthcare attorneys discusses lessons learned from past audits, OCR Phase 2 audit scope and timeline, and how to prepare for audits using a risk-based approach. The panel will also offer best practices to identify risks of noncompliance and minimize said risks.

1. Phase 2 HIPAA audits
   1. Scope
   2. Timeliness
   3. Audit process
   4. Lessons learned from past audits
2. Preparing for an OCR audit
3. Conducting a self-audit
   1. Policies addressing privacy
   2. Security of PHI
   3. Reporting procedures
4. Best practices for identifying and minimizing risks of noncompliance

The panel will review these and other key issues:

• What are the practical lessons from OCR’s Phase 1 audits?
• What steps should covered entities and business associates take to prepare for OCR audits?
• What practices should covered entities and business associates employ to successfully navigate a Phase 2 audit?