Written by David Holtzman, Vice President of Compliance, CynergisTek, Inc.
One thing is for sure…you don’t want to wait until you get a notification letter from the Office for Civil Rights (OCR) to start preparing for a HIPAA compliance audit. Organizations that are going through audits have only one chance to submit all requested documentation, so it’s crucial to get it right!
What OCR Is Planning
OCR said they are nearly ready to launch Phase 2 of the HIPAA/HITECH audit program. In this first round, OCR has awarded a contract to an outside vendor to audit 200+ covered entities (CEs) — including healthcare providers and employer-sponsored group health plans — to measure their compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification requirements. After OCR completes the CE audits, they plan to begin audits of business associates (BAs) to measure their compliance.
According to OCR, most of the CE audits will be “desk audits,” requiring organizations to submit documentation demonstrating that they have policies and processes in place that meet HIPAA requirements. OCR will also conduct some comprehensive, on-site audits in this first round of audits.
What an Audit Will Focus On
While OCR’s audit protocol has not been finalized, the agency has identified areas where it intends to focus its attention:
How to Prepare
Healthcare provider practices and health plan administrators should prepare now so they’re ready if they are selected for a desk audit:
Want to learn more about OCR random audits? Sign up for our webcast. My colleague, Mac McMillan, Chair of the HIMSS Privacy & Security Policy Task Force, will discuss OCR HIPAA audits and how you can prepare.