With the HHS / OCR announcing the launch of Phase 2 of the HIPAA Audits, it’s a good time to re-evaluate your audit risk. Now, I realize that many practices and healthcare vendors are operating with tight resources, so it may seem worth it to play the odds.
After all, when you take into account the sheer number of covered entities and business associates, aren’t you at a relatively low risk for an OCR HIPAA audit? Yes. But unfortunately, there are several, far-too-common instances where you can unexpectedly find those odds weighing against you:
After a breach report.
You have a privacy breach when someone accidentally contacted the wrong patient and left a voicemail about their test results. You must report the breach. Now you’re on OCR’s radar.
After a complaint call.
A patient (or anonymous consumer) complains to OCR about your privacy practices because when sitting next to you on the commuter train they could clearly see patient information on your laptop screen.
After a whistleblower report.
A former (disgruntled) employee complains to OCR about your information security; lack of lockdown, people sharing passwords, information left openly on desks.
Putting together a tight privacy and security compliance program takes time and resources, it’s true. But when you’re weighing the odds, remember that It comes down to the longtime, simple fact that privacy and security compliance is the law. Why take the risk?
Apgar and Associates can help you prepare for OCR HIPAA Audits. Contact us for more information, or with questions and concerns about your program at 877-376-1981. Apgar and Associates is also the home of the compliance consulting subscription program for qualifying organizations.
