Q
Get started Bring yourself up to speed with our introductory content.

What do organizations need to know about privacy in a HIPAA audit?

A HIPAA audit covers privacy compliance, and organizations need to be prepared. Expert Mike Chapple discusses privacy in the audits.

The HHS Office for Civil Rights (OCR) plans to begin a random audit program this year to assess compliance with...

the HIPAA privacy, security and breach notification rules. What are the main takeaways from this new program? What should my organization be aware of in terms of HIPAA privacy compliance?

OCR plans to resume their HIPAA audit program later this year as a follow-on to a 2012 pilot program conducted by KPMG auditors. In this new program, OCR will select an undisclosed number of covered entities and business associates for HIPAA compliance audits.

The most important thing to know about the program is that the HIPAA audits will most likely be narrow in scope, focusing on a handful of specific issues OCR identifies as compliance problems. You might turn to the issues covered by recent HIPAA enforcement actions for some clues on audit subject matter. It would not be surprising to see audits focus on impermissible disclosures of protected health information, patient access to records and appropriate security controls.

Narrowing the scope of audits does allow OCR to cover a larger number of organizations, so expect audit notices to go out in greater quantities than during the pilot program. If you receive one of those notices, you should prepare just as you would for any other audit. Assuming your HIPAA compliance program is up to snuff, it would be a good idea to take a pass through your compliance plan and ensure all of your controls remain in tip-top shape.

Collect documentation in advance and be ready to provide quick answers to any auditor questions. The more put together your response is, the more likely the auditors will simply review your documentation and move on. When an organization struggles to provide answers and offers sloppy documentation, they're waving a red flag in front of the bull.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Check out more great ways to prepare for HIPAA audits and have compliance plans at the ready

This was last published in July 2015

Dig Deeper on HIPAA

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close