During a panel discussion at the American Health Information Management Association (AHIMA) 2014 conference on 30 Sep 2014, Geraldine Davis, an Office of Civil Rights (OCR) announced that the agency is not yet ready to announce the dates of the Phase 2 HIPAA audits. The delay is due to issues with building an online portal that will facilitate submission of documents to the agency. The original date for the audits was the Fall of 2014. It has now been moved to late 2014 or early 2015.
They have already selected a random pool of covered entities for the Phase 2 HIPAA audits but no notifications have been sent out. The selected entities include private medical practices, hospitals and some business associates.
As per Davis, for the Phase 2 audits, OCR will focus on covered entities and business associates’ risk analysis and risk management (the Security Rule), the content and timeliness of breach notifications (the Breach Notification Rule) and the notice of privacy practices and access rights (the Privacy Rule). The agency will focus on the risk to the data, not the risk to the impacted individual.
The delay in OCR phase 2 HIPAA audit was confirmed in the recently concluded NIST HIPAA Conference as well by Iliana L. Peters, JD, Senior Advisor for HIPAA Compliance and Enforcement, HHS OCR.
Latest posts by EHR 2.0 (see all)
- Trump Administrations’ Effect on Healthcare Organizations - January 23, 2017
- HIPAA Fine for Lack of Timely Breach Notification - January 11, 2017
- HIPAA Compliance 2016 Year in Review - January 9, 2017