June 8, 2016 - 3:45pm
OCR HIPAA Audits Under Way – What This Means for You Posted by:

Have you heard that the Office for Civil Rights (“OCR”) has started its new HIPAA audit program?  In March, OCR announced that its long-awaited second round of HIPAA audits were under way, with desk audits and some on-site audits of both covered entities (health care providers, health plans, and health care clearinghouses) and their business associates (vendors and service providers utilizing protected health information).  With these “Phase 2” audits, OCR will be evaluating compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

Although OCR will audit only a relatively small number of covered entities and business associates (approximately 200) in the current round, OCR will use the results of the current Phase 2 audits to establish a permanent audit program.

What does this mean for you?  If you are a covered entity or a business associate, it means that you could be the subject of a Phase 2 audit.  The key to a successful audit outcome is preparation.  For starters, your privacy and/or security officer (or any other responsible party) should compile all of your HIPAA compliance materials and thoroughly evaluate what might need to be updated.  Also, ask yourself the following questions:  Have you conducted a risk assessment lately?  Do you have a list of business associates, and do you have a business associate agreement with each one?  Do any of your policies and procedures need to be updated to reflect your current practices?

HIPAA is a significant area of enforcement for OCR.  With the frequency of breaches and high-profile cyberattacks, covered entities and business associates need to be aware that OCR scrutiny occurs not only through the audit program, but also as a result of reported complaints or a covered entity’s breach notification response.  HIPAA plays a key role in protecting the security and privacy of individual’s health information, and it is here to stay.  As OCR continues to focus on HIPAA compliance, providers should make sure that HIPAA is a permanent part of their compliance program.