Written by Karen Pursch, Director, Patient Privacy Solutions
News that your organization could be facing an audit is usually cause for anxiety and much gnashing of teeth. At best, it means scrambling to assemble the required information before the deadline expires. At worst...well, let’s not go there.
But sometimes an audit can have a silver lining (assuming you’re ready for it). A case in point: the next round of OCR patient privacy audits.
A little background in case you haven’t heard: after a long delay, the HHS Office for Civil Rights (OCR) is finally launching Phase 2 of its HIPAA audit program. Its purpose is to review policies and procedures used by covered entities and their business associates to ensure they are complying with the federal healthcare privacy law. Unlike Phase 1, which was a pilot held in 2012 that had no penalties, this time organizations risk steep fines if they fail.
To start the process, OCR is sending emails to covered entities and business associates to verify their addresses and primary contact information. Once they receive responses, OCR will send a questionnaire to gather details about the organization’s size and operations in preparation for possible selection for a random audit.
Caution: If you ignore these messages (or let them languish in your spam folder), you’re not off the hook. OCR will just use the information they have on file and place your organization in their audit pool anyway.
Now that these audits are finally happening, it’s only natural to focus on the stress and time involved — not to mention the possible penalties if you fail. No doubt you have enough on your plate without this added headache. But let's step back for a moment and look at the larger context. There are real threats out there. Organizations don’t always take the necessary precautions, and pay the price later.
Despite years of warnings from security experts, healthcare organizations continue to be hit by major data breaches. OCR maintains a list of breaches affecting at least 500 individuals, with the most recent at the end. It’s a pretty sobering list. There have been quite a few breaches in 2016 alone, impacting many thousands of patients (and possibly the careers of a few IT and security folks).
Considering all the damage these breaches have caused, it’s a pity that OCR wasn’t able to launch these audits sooner. Knowing that an audit was looming would have been an incentive to put security measures in place that could have prevented many of these breaches, or greatly minimized their cost, bad press, and drama.
Now that Phase 2 audits are imminent, keep in mind that it’s not just a regulatory hurdle to jump over. It’s also possible for it to be an opportunity — so go ahead and embrace an OCR audit if your organization is chosen.
In a recent SearchHealth IT article, “After many delays, OCR HIPAA Audits will start in 2016," our own Rob Rhodes shares this view about the upcoming audits, reminding us that demonstrating HIPAA compliance isn’t just about complying with regulations. A good performance in an audit can be a valuable marketing tool, demonstrating that you take patient privacy seriously — and you’re able to prove it.
So look on the bright side. If you do well in the audit, you’ll be able to share the good news with your patients and community. You’ll also have a much better chance of staying off that horrible breach list.
If you want to understand more about how you can embrace and prepare for an OCR audit, please stop by Booth #200 at HCCA in Las Vegas — April 17th through April 20th.