BOSTON — An HHS Office for Civil Rights official said Wednesday that the agency will be conducting on-site audits of hospitals in 2017.
OCR currently has more than 200 audits ongoing – 167 of those focused on providers, and just last week it sent out 48 to business associates, OCR senior advisor Linda Sanches said here at the HIMSS and Healthcare IT News Privacy & Security Forum.
"We will be conducting a small number of on-site audits in 2017," Sanches added. "Obviously your chances of getting an audit are very, very low."
OCR is using the audit process, Sanches explained, to find risks and vulnerabilities the government is neither aware of otherwise nor likely to learn about through filed complaints.
HIPAA-covered entities have 10 days to respond to a desk audit. OCR is looking for policies and procedures to address privacy rule controls, breach notification rule controls and security rule controls.
"We’re looking for evidence that you are implementing the policies and procedures," Sanches said. "Two huge problems we’re seeing are implementation of risk analysis and risk management."
John Houston, UPMC vice president and associate counsel, pointed out to Sanches and OCR regional manager Susan Rhodes that information about exactly what OCR demands is lacking.
"We do a lot of stuff we consider to be a risk assessment but there’s not clarity on what that really means from OCR’s perspective," Houston said.
Rhodes answered that OCR requires entities to look at their own universe – and added that one-size fits all risk analysis is not realistic.
"There’s a lot of guidance on our web site – a lot," Rhodes said. "We put out a lot more than is commonly understood."
The Privacy & Security Forum is happening in Boston, Dec. 5-7, 2016.
⇒ Privacy & Security Forum Boston: What to expect
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ What's the fundamental problem with cybersecurity? Relying on the Internet