Get Ready for the OCR’s Second-Phase Audits

The Department of Health and Human Services’ Office of Civil Rights (OCR) has begun its second phase of audits to gauge covered entities’ compliance with HIPAA’s security and privacy requirements.

HIPAA-covered entities will have their compliance efforts put to the test and Business Associates will not escape. They too will be assessed using the HIPAA Privacy, Security and Breach Notification Rules.

Here are some things you need should the OCR come knocking at your door:

  • A documented risk assessment.
  • Written policies and procedures that address the privacy and security standards and any vulnerabilities that were found during the risk assessment.
  • A written incident response plan for responding to breaches of unsecured Protected Health Information (PHI).
  • A security plan for mobile devices and storage media and/or a Bring Your Own Device (BYOD) policy regarding your staff’s personal mobile devices.
  • A documented training program for new workforce members and periodically for all of your staff.
  • A compliant Notice of Privacy Practices for patient review.
  • Appropriate agreements with your business associates.

Comments are closed.