Despite the Office of Civil Rights audits for HIPAA being postponed, I'd still like my organization to be prepared...
if we need to be. What types of organizations are eligible for OCR audits? What are some good ways to prepare for them? What are the penalties if you are found to be noncompliant?
HIPAA audits are coming. If it seems like you heard that a few times, but the audits never materialized, you're right. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) conducted a pilot HIPAA audit program in 2012 and a broader rollout was expected in 2013 but was delayed by funding cuts. The program was then expected to begin in 2014 but experienced additional delays; now the OCR says that the audits will begin sometime this year, though the agency hasn't yet committed to a firm timetable.
It is definitely a good time to review your audit preparedness. How can you do that? Fortunately, OCR publishes its entire audit protocol on the Web. There are no surprises during a HIPAA audit since the protocol spells out the procedures auditors must follow when conducting a program audit. For example, when auditors are examining an organization's workforce clearance process, they must follow this procedure:
"Inquire of management as to whether procedures exist for granting access to ePHI. Obtain and review policy and procedures and evaluate the content in relation to the relevant specified performance criteria. Obtain and review evidence of approval or verification of access to ePHI. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so."
No secrets there. So, what should you do to prepare for an audit? Download the OCR audit procedure and walk through it for your organization. If there is a question you're not able to answer with clear and convincing evidence, that's likely where your organization will stumble during an audit.
Passing an audit is important. Organizations that fail audits may become the targets of HHS compliance actions, which can result in fines and other penalties. OCR provides detailed information on its website about organizations that received HIPAA compliance fines ranging into the millions of dollars. You don't want your company to appear on that list.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts?Ask your enterprise-specific questions today. (All questions are anonymous.)
Check out more HIPAA audit prep advice from Mike Chapple
Find out more about the HHS security risk assessment tool for HIPAA audit prep
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.