Are you prepared?
Covered entities and business associates should take the following steps to ensure that they are prepared for a potential Phase 2 Audit:
1. Confirm that the organization has recently completed a comprehensive assessment of potential security risks and vulnerabilities to the organization (Risk Assessment)
2. Confirm that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to completion
3. Ensure that the organization has a complete inventory of business associates and their contact information for purposes of the Phase 2 Audit data requests
4. If the organization has not implemented any of the Security Standards’ addressable implementation standards for any of its information systems, confirm that the organization has documented (1) why any such addressable implementation standard was not reasonable and appropriate, and (2) all alternative security measures that were implemented
5. Ensure that the organization has implemented a breach notification policy that accurately reflects the content and deadline requirements for breach notification under the Breach Notification Standards
6. For health care provider and health plan covered entities, ensure that the organization has a compliant Notice of Privacy Practices and not only a website privacy notice
7. Ensure that the organization has reasonable and appropriate safeguards in place for PHI that exists in any form, including paper and verbal PHI
8. Confirm that workforce members have received training on the HIPAA Standards that are necessary or appropriate for workforce members to perform their job duties
9. Confirm that the organization maintains an inventory of information system assets, including mobile devices (even in a bring-your-own-device environment)
10. Confirm that all systems and software that transmit electronic PHI employ encryption technology, or that the organization has a documented risk analysis supporting the decision not to employ encryption
11. Confirm that the organization has adopted a facility security plan for each physical location that stores or otherwise has access to PHI, in addition to a security policy that requires a physical security plan
12. Review the organization’s HIPAA security policies to identify any actions that have not been completed as required (physical security plan, disaster recovery plan, emergency access procedures, etc.)