Blogs Home
Wednesday, September 9, 2015 5:52 PM

Are You Ready for the Return of OCR’s HIPAA Audit Program?

Written by David Holtzman, Vice President of Compliance, CynergisTek, Inc.

OCR HIPAA Audit program image

One thing is for sure…you don’t want to wait until you get a notification letter from the Office for Civil Rights (OCR) to start preparing for a HIPAA compliance audit. Organizations that are going through audits have only one chance to submit all requested documentation, so it’s crucial to get it right!

What OCR Is Planning

OCR said they are nearly ready to launch Phase 2 of the HIPAA/HITECH audit program. In this first round, OCR has awarded a contract to an outside vendor to audit 200+ covered entities (CEs) — including healthcare providers and employer-sponsored group health plans — to measure their compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification requirements. After OCR completes the CE audits, they plan to begin audits of business associates (BAs) to measure their compliance.

According to OCR, most of the CE audits will be “desk audits,” requiring organizations to submit documentation demonstrating that they have policies and processes in place that meet HIPAA requirements. OCR will also conduct some comprehensive, on-site audits in this first round of audits.

What an Audit Will Focus On

While OCR’s audit protocol has not been finalized, the agency has identified areas where it intends to focus its attention:

  • Privacy Rule compliance — how healthcare providers and health plans are meeting Privacy Rule requirements for notices of privacy practices and how providers are handling patient’s right to access Protected Health Information (PHI), and to receive an electronic copy    
  • Security Rule compliance — policies and procedures for risk analysis of the safeguards protecting information systems that handle e-PHI, as well as the organization’s mitigation plan to address gaps identified through the assessment
  • Breach Notification Rule compliance — whether an unauthorized use or disclosure of PHI is reportable under the Breach Notification Rule, as well as processes for making required notifications if a breach occurs

How to Prepare

Healthcare provider practices and health plan administrators should prepare now so they’re ready if they are selected for a desk audit:

  • Review OCR’s audit protocol as well as the HIPAA and HITECH regulations
  • Make sure you have the latest guidelines, policies, and procedures in place
  • Ensure you have access to all required audit documentation and clearly understand the submission process
  • Consider conducting a mock audit (either by internal staff or by a third-party specialist) to make sure you’re prepared for the real thing

Want to learn more about OCR random audits? Sign up for our webcast. My colleague, Mac McMillan, Chair of the HIMSS Privacy & Security Policy Task Force, will discuss OCR HIPAA audits and how you can prepare.