Resource Tools
The U.S. Department of Health and Human Services’ Office for Civil Rights has announced the second phase of its HIPAA audit program. In view of the OCR’s recent increase in enforcement activity, it is imperative for organizations to prepare.
What To Do
- Look out for an OCR e-mail
- Notification letters were sent to covered entities on July 11, 2016
- Check your e-mail spam folder periodically
- Notification letters were sent to covered entities on July 11, 2016
- Check to see that the email is
- Sent from OSOCRAudit@hhs.gov
- Substantially similar to this letter
- Not prompting you to provide log-in credentials, PHI or other confidential information; only asking for organization’s primary contact
- If the e-mail doesn’t appear legitimate, do not respond and report it to the OCR
- Provide requested contact information
- Review your current compliance plan
- Review your company’s risk analysis and address concerns
- Review your entity’s current HIPAA security risk assessment and plan
- Examine your entity’s protections for mobile devices, such as remote wiping and/or remote disabling technology
- Examine security protections for ePHI, such as encryption
- Assess your entity’s disaster recovery plan and procedures for terminating PHI access for ex-employees
- Ensure that the risk analysis and policies are up to date
- Remind employees about the minimum necessary standard
- Prepare a list of business associates and their contact information
- Respond to pre-audit screening questionnaire
- Provide requested list of your business associates
How We Can Help
- HIPAA Audit Overview
- What to expect and how to prepare for the HIPAA audit program
- Self-assessment toolkit
- A checklist that covered entities and business associates can use to conduct a preliminary self-assessment (complimentary offering)
- Primer/CLE Presentation
- Overview of the audit process and steps that can be taken to prepare for it (complimentary offering)
- Hotline/Helpdesk
- Monthly bank of hours dedicated to counseling on general HIPAA compliance and/or preparation for pending audits (offered at a fixed fee)
- Policy Audit and Gap Analysis
- Review of your company’s existing policies for HIPAA privacy compliance gaps and suggested steps for improving compliance and mitigating risks (offered at a fixed fee)
- Model Policies and Procedures
- Suite of HIPAA privacy and security policies, including data breach notification policies, privacy procedures and training materials (offered at a fixed fee)
OCR Resources
- $2.5 million settlement shows that not understanding HIPAA requirements creates risk
- HIPAA settlement demonstrates importance of implementing safeguards for ePHI
- Permitted Uses and Disclosures: Exchange for Public Health Activities Fact Sheet
- New Guidance on HIPAA and the FTC Act
- Cloud Computing Guidance
- OCR’s FAQs on this topic may be found under “Business Associates – Cloud Computing
- New FAQ on Availability of PHI Maintained by a Business Associate
- Guidance for 2016 HIPAA Desk Audits
- New FAQ: HIPAA and Unique Device Identifiers
- OCR’s Phase Two HIPAA Audits Have Begun
- OCR New HIPAA Guidance on Ransomware
- Procedural Requirements
- Training Materials
- Model Grievance Procedure
- Translated Resources for Covered Entities
- Patient Protection and Affordable Care Act
- The Secretary of HHS’ letter on ransomware to CEOs of companies in the health care sector
- HIPAA Privacy, Security, and Breach Notification Audit Program
- Pre-Screening Questionnaire
- Resolution Agreements
- Case Examples
- HIPAA Guidance Materials
- Breach Notification Guidance