OCR’s Long Anticipated HIPAA Audit Program is Here

  • HHS OCR Logo

Is Your Organization Ready for the Return of OCR’s HIPAA Audit Program?

One thing is for sure. You dont want to wait until you get a notification letter from the Office for Civil Rights (OCR), before you start preparing for a HIPAA audit. OCR plans to audit 200(+) covered entities (CE), including healthcare providers and employer sponsored group health plans to measure their compliance with the HIPAA Privacy Rule, Security Rule, and breach notification requirements. These CE audits will be followed by up to 400 audits of business associates to measure their compliance with the Security Rule and how they intend to approach their obligations under the Privacy and Breach Notification Rules.

According to OCR the initial phase of the covered entity audits will be “desk audits”, requiring organizations to submit documentation demonstrating that it has policies and processes in place that meet the requirements of the Rules. The specific topics that will be reviewed  through the audits have not been announced yet.

While OCR’s audit protocol has not been finalized, the agency identified areas in which it intends to focus its attention. Healthcare providers and health plans will be required to demonstrate how they are meeting the Privacy Rule requirements for notices of privacy practices and the patient’s right to access their protected health information maintained by the covered entity. OCR indicated that the scope of the review for Security Rule compliance will cover policies and procedures for conducting the required risk analysis of the effectiveness of safeguards protecting information systems that handle e-PHI as well as the organization’s mitigation plan to address gaps to that are identified through the assessment. OCR also identified the policies and processes of covered entities to identify whether an unauthorized use or disclosure of PHI is reportable under the Breach Notification Rule, as well as the processes in-place for making the required notifications if a breach has occurred.

OCR expects to resume comprehensive, on-site or in-person audits once it has completed this forthcoming round of desk audits. Healthcare provider practices and group health plan administrators should prepare now by what going through the steps to take to prepare if the organization were randomly selected for one of those audits.  Organizations need to review OCRs audit protocol, as well as the HIPAA and HITECH regulations themselves. Then they need to make sure they have guidelines, policies, and procedures in place to support the regulations and assure those documents are revised to stay up-to-date. CynergisTek can also help you prepare with our OCR Mock Audit or OCR Audit Readiness services.

May 29th, 2015|

About the Author:

David Holtzman
Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.