While it is unclear when Phase 2 of OCR’s HIPAA Audit Program will begin, a revisit of the Phase 1 Documentation Request List that was disseminated to audited entities during Phase 1 provides a good start to readying your organization for what will come in Phase 2 audits. While the majority of the Phase 2 audits may be more limited and specific in scope, OCR has stated that it will conduct more comprehensive audits than originally planned. Our advice – prepare as if you were going to be audited at the most rigorous level.

General Information

  • Complete the enclosed “HIPAA Privacy and Security Performance Audit Survey for Selected Covered Entities” (Attachment B) [this attachment asks for general demographic information about the auditee]
  • Any previous audit reports, evaluations, or assessments regarding your implementation of HIPAA Privacy and Security Rules and Breach Notification Rule
  • Site contact information (name, address, phone number, email address, etc.)
  • Please confirm whether your organization uses or discloses PHI in: — Fundraising activities; or
    — Research activities

HIPAA Security

  • Identify any applicable industry guidance (e.g. studies, practices, regulations, etc.) or other reference material used to develop any of the policies and procedures requested below (NO NEED TO PROVIDE THIS DOCUMENTATION – SIMPLY IDENTIFY)
  • Security Officer Contact Information (name, email, phone, address and admin contact info)
  • Entity-Level Risk Assessment
  • Risk assessments for systems that house ePHI
  • Risk Assessment Procedures
  • Risk management policy
  • Organizational Chart
  • Information Security Policies, specifically those documenting security management practices and processes, such as:
    — Access Control
    — Data Protection
    — Acceptable Use
    — Workstation Security — Workforce / HR Security — Sanction Procedures
  • Security Incident Management Plan
  • Business Continuity / Disaster Recovery Plan
  • Most recent Disaster Recovery Exercise Documentation
  • Data backup and recovery procedures
  • Physical Security Policies and Procedures
  • Data destruction and media reuse procedures
  • List of role based access – job level and level of PHI access needed for function; log of employees based on their PHI access type
  • Encryption policies and procedures
  • Management’s internal control / internal audit policies and procedures relative to monitoring IT safeguards
  • System-generated user access listing of all individuals with access to systems housing ePHI
  • System-generated listing of all new Hires within the past year
  • User authentication policies and procedures

HIPAA Privacy

  • Identify any applicable industry guidance (e.g. studies, practices, regulations, etc.) or other reference material used to develop any of the policies and procedures requested below (NO NEED TO PROVIDE THIS DOCUMENTATION – SIMPLY IDENTIFY)
  • Privacy Officer Contact Information (name, email, phone, address and admin contact info)

    • Privacy Policy (s) and Notice of Privacy Practices • Privacy Practices Documentation, including:

    — Use and Disclosure
    — Right to Request Privacy Information
    — Right to Request Privacy Protection of PHI — Access of individuals to PHI
    — Denial of Access to PHI Procedures
    — Amendment of PHI
    — Accounting of Disclosures of PHI
    — Administrative Requirements

    • Training documentation for employees over Privacy Practices and organization training policy(s)
    • Policies and procedures in place over administrative, technical, and physical safeguards over all forms of PHI • Complaint handling policies and procedures
    • Population of complaints over privacy practices made within the past year (complaint log)
    • Sanction and disciplinary policies and procedures over Privacy violations
    • Mitigation and disciplinary policies and procedures for when a breach occurs
    • Anti-intimidation / anti-retaliation policies and procedures
    • Policies and procedures over Uses and Disclosures of PHI, including:

    — Deceased individuals
    — Personal representatives
    — Confidential communication
    — Business associate contract requirements
    — Health plan documentation requirements
    — Treatment, payment, and/or operations
    — Consent and authorization requirements
    — Judicial or administrative proceeding requirements
    — Research requirements
    — Approval or waiver requirements
    — De-identification / re-identification of PHI procedures
    — Restriction of PHI
    — Minimum necessary requirements
    — Limited information provided for fundraising purposes
    — Health care underwriting requirements
    — Identity verification procedures of individuals requesting PHI

    HITECH

    • Breach notification processes, entity-level risk assessment documentation and capabilities

     

Pin It on Pinterest

Share This

Share This

Share this post with your friends!