5 things to know now about coming OCR HIPAA audits
Nothing sends a shock of fear through a hospital C-suite quite like the word audit. And the second phase of HIPAA audits is slated to being in early 2016.
Those CIOs, CISOs, CEOs, General Counsel and privacy officers unfortunate enough to receive notification of an impending HIPAA audit from the Health and Human Services Department's Office for Civil Rights will invariably feel that pressure.
While security is a crucial aspect to any health organization, it's another thing entirely to plan accordingly for an OCR audit.
David Holtzman, vice president of compliance at CynergisTek, offered the following tips for healthcare organizations potentially facing an audit:
1. OCR is moving forward with HIPAA compliance audit program. The audit contract was awarded to FCiFederal, a government operations management and professional services provider. Audits will cover hospitals, healthcare providers, health plans and business associates.
2. Compliance audits expected to be in hundreds; not thousands. Both healthcare organizations and business associates can expect approximately 200-300 limited scope desk audits to create a sample base of covered entities to ensure HIPAA Privacy, Security & Breach Notification Rules compliance.
3. OCR has been transparent on topics it will target. From the way patients access and obtain their data to breach notification policies, the OCR will cover a wide range of functions that are listed in detail on its site.
4. Prepare now in case your organization is selected. Management should speak with individual staff members to review policies, procedures and guidelines that support HIPAA and HITECH standards. Collect data beforehand and designate an area to keep materials to provide to OCR if needed.
5. Educate staff and leadership on how your organization is preparing for an OCR audit. Keep staff abreast of information relevant to the OCR audit, including prompt attention to communication from OCR. Ensure your C-suite is prepared for the new OCR compliance measurement standards, as well.
OCR will look into security, privacy and breach notification rules to analyze risk, safeguards and implementations, especially those associated with electronic health information and device encryption.
Smart healthcare executives will use the waiting period before audits begin by assessing risk, preparing staff and reviewing policies.