TIME SENSITIVE: What you need to know about the second phase of OCR’s HIPAA audit program

On July 11, 2016, selected health plans, health care providers and health care clearinghouses were sent notification letters regarding their inclusion in the second phase of OCR’s HIPAA audit program.

This portion of the program is a desk audit and review of the selected entities’ documentation for compliance with the following, commonly noncompliant, areas:

  • Privacy Rule – Notice of Privacy Practices & Content Requirements [§164.520(a)(1) & (b)(1)]; Provision of Notice-Electronic Notice [§164.520(c)(3)]; Right to Access [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]
  • Breach Notification Rule – Timeliness of Notification [§164.404(b)]; Content of Notification [§164.404(c)(1)]
  • Security Rule – Security Management Process-Risk Analysis [§164.308(a)(1)(ii)(A)]; Security Management Process-Risk Management [§164.308(a)(1)(ii)(B)]

Be sure to check your spam filter for emails from OSOCRAudit@hhs.gov. If you have been selected, you have until July 22, 2016 to respond to OCR’s request.

For more information, please visit: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html