A lot of conversations about OCR resuming a random audit program started at HIMSS14 Annual Conference & Exhibition after Susan McAndrew, deputy director of OCR, presented “HIPAA Compliance: Stepping It Up In 2014″. OCR has made a lot of progress to initiate the program and will expand it to include covered entities and business associates. Based on recent discussions with OCR, audits can start as early as April even though the permanent audit program is not anticipated to begin until October, FY 2015.

On February 24th, OCR became one step closer to being ready to start the audits by posting a notice in the Federal Register that said they will send a survey to 800 covered entities and 400 business associates to determine suitability to audit the organization. McAndrew, told HealthcareInfoSecurity that not all 1,200 will face an audit but they will select suitable organizations at random. Additionally, OCR has been ramping up efforts by developing the protocol for the audits over the past 18 months and hiring additional staff with particular expertise in information security and auditing. While at HIMSS, David Holtzman, VP of privacy & security compliance services for CynergisTek, told HealthcareInfoSecurity, “This represents a formidable team that can go out and do a limited number of audits and ask meaningful questions and develop meaningful results.” He also believes there is a good chance that OCR will begin the first phase of the audit program by April. “It may not be the full or permanent audit program that they envision…but what is clear is that they are identifying folks who could be targeted for an audit.”

In the 2012 pilot, OCR audited 115 covered entities and their feedback indicated that most organizations had some observations and findings of non-compliance. Only 11% did not have any observations or findings. When OCR presented an entity with a finding of non-compliance the most common excuse was “unaware of the requirement”. A majority of non-compliance fell under the HIPAA Security Rule and one big contributor to the number of security findings was related to inadequate risk analysis. Risk assessments should be conducted and/or reviewed annually, and should be reviewed whenever a material change is made to the operating or technical environment. Holtzman also points out to HealthcareInfoSecurity, that lack of encryption continues to be a big issue and many breaches and security incidents are the result of an unencrypted device getting stolen or lost. Click here to listen to his podcast with HealthcareInfoSecurity.

Now is the time to review where your privacy and security programs are and make improvements before the audits resume. CynergisTek can help both covered entities and business associates (vendors) increase their compliance and audit readiness with a range of consulting services and engagements. CynergisTek’s services focus on governance, security frameworks, resource allocations, technology gaps and other factors that affect successful implementation of security, and will help determine the best approach to security. We offer a Risk Assessment that utilizes OCRs recommended NIST methodology and meets the requirements outlined in the HIPAA Security Rule. CynergisTek also offers an OCR Mock Audit designed to test your organization’s readiness to respond, identify where improvements need to be made, and prepare the entire staff in case you are ever audited.