I’ve been updating all about the permanent or “second round” of OCR HIPAA audits for a while now. The HIPAA Audit program was initially to launch near year-end 2014. Now, we’re seeing details of the program, even though we don’t know when the OCR HIPAA audits will actually begin. However, OCR is taking the first steps to launch the next round and here’s what we do know:
The Office of Management and Budget (OMB) received the pre-audit survey for approval from OCR in May 2014. Now that OMB has approved the survey for distribution, OCR will be sending it out to a randomly selected group of 500 CEs initially. They will then select a subset of that group to audit. Also, OCR will compile a list of BAs, likely provided by the CEs who are the lucky recipients of the survey. The pre-audit survey will also be sent to 200 of those business associates.
OCR Pre-Audit Survey: Intention & Readiness
The survey is intended to assess the size, complexity, use of electronic health records, number of locations, number of insured lives, revenue, how many patient visits, and most importantly, the fitness of the organization to be audited. The notice issued by OCR noted that the need for the survey is to help OCR collect information to determine the respondent’s suitability for a HIPAA audit. What criteria will OCR use to select an organization for an audit? We’re still waiting on an answer.
The HITECH Act mandated that OCR conduct periodic audits to assess the compliance of covered entities and business associates with the HIPAA Privacy, Security, and Breach Notification Rules. Now that we’re well past the pilot audits, it looks like OCR is getting serious about moving forward. While we don’t know the details yet, including the audit protocol, it’s more than time for you to prepare. If you’re interested in taking a look at the survey, here’s the link.
Are you ready for OCR HIPAA Audits? I’ve put together these question sets for Covered Entities and for Business Associates; so ask yourself about your own HIPAA compliance program:
Covered Entities
- Have you updated your Notice of Privacy Practices?
- Are you making sure you’re addressing patient privacy rights?
- Do you have a process in place to assess the validity of patient authorizations?
- Have you performed a Risk Assessment?
- Have you provided HIPAA security training for all employees?
- Do you have written policies and procedures on how to protect patient information?
- Do you have an incident response plan?
- Do you have updated Business Associate Agreements?
- Have you implemented an audit program?
Business Associates
- Are you a Business Associate?
- Are you attending to your HIPAA Privacy Rule responsibilities?
- Have you performed a Risk Assessment?
- Have you provided HIPAA security training for all employees?
- Do you have written policies and procedures on how to protect patient information?
- Do you have an incident response plan?
- Do you have Business Associate Agreements with your subcontractors?
- Have you implemented an audit program?
When we conduct Mock OCR HIPAA Audits, we work directly with Privacy & Security Compliance Officers, COOs, HR staff, physicians, clinical staff, IT, the whole workforce. It’s amazing the things that can slip between the cracks in even the most efficient, HIPAA-conscious organization. Now OCR’s gotten serious. Let’s get ready.
