The U.S. Department of Health and Human Services (HHS) Office for Civil
Rights has begun its Phase 2 HIPAA
HHS auditors will review the policies and
procedures that practices and other covered entities have adopted and use to
meet certain standards and implementation specifications of the HIPAA Privacy,
Security, and breach notification rules.
According to the American Medical Association, “OCR underscored
that the audit results are a tool to identify best practices and discover risks
and vulnerabilities that OCR may not be aware of through their normal
enforcement mechanisms and will be used for educational purposes, not
enforcement. The agency noted that if it uncovers a serious compliance issue
through the audit process, it may initiate a compliance review to further
investigate. The ultimate goal of the audits, however, is to help OCR provide
better guidance to the health care community.”
OCR’s initial round of audits is limited in scope. However, the full
audit protocol covers some 180 key activities. In
fact, the protocol table makes for a comprehensive checklist for HIPAA compliance. Here is a smattering of the activities for
which you should have written policies and procedures and be able to show that
you’ve followed them, if applicable.
- How do you determine if a person has authority to
act on behalf of a patient, for example in regard to minors or the deceased? Do
your policies and procedures protect deceased patients’ protected health
information for 50 years following their death?
- How do you provide for and accommodate requests
by patients for confidential communications, for example to contact them only
at a certain phone number or only by mail at a certain address?
- How do you determine when you need a patient’s authorization, rather than consent, to disclose PHI? How do you obtain a valid
authorization when required?
- How do you identify business associates, and do
you have a business associate agreement with each?
- What are your policies and procedures for
disclosing PHI to family members, relatives, close personal friends, or others
your patient has identified; in disaster relief efforts; for
public health activities; about victims of abuse, neglect, or domestic
violence; for judicial proceeding; in response to a law enforcement request; to
a coroner, medical examiner, or funeral director?
- Have you conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of all the ePHI you create,
receive, maintain, or transmit?
- What security measures have you implemented to
reduce risks and vulnerabilities to a reasonable and appropriate level? How do
you monitor them?
- What are your policies and procedures regarding
employees who violate your practice’s security policy?
- How do you provide employees access to ePHI
appropriate to their job duties?
- Do you have and follow a security awareness and
training program for staff?
- How will you determine if an impermissible use or disclosure of PHI requires
notifications under the breach notification rule?
- How will you notify patients of a breach of their
- In case of a breach that requires notification,
are you prepared to notify the next of kin or a personal representative (if you
have his or her address) when you know the affected patient is deceased?
- Do you have a process in place for individuals to
complain about your compliance with the breach notification rule?
Visit the TMA HIPAA Resource Center for tools and information to help you get into HIPAA
compliance, like a sample authorization form and a sample business associate
agreement. Learn about HIPAA security by taking courses in the TMA Education Center, including
HIPAA training for staff. See also training materials on HIPAA privacy and security from HHS.
Published July 28, 2016
TMA Practice E-Tips main page
Last Updated On
February 02, 2017