The HHS Office for Civil Rights (OCR) plans to begin a random audit program this year to assess compliance with...
the HIPAA privacy, security and breach notification rules. What are the main takeaways from this new program? What should my organization be aware of in terms of HIPAA privacy compliance?
OCR plans to resume their HIPAA audit program later this year as a follow-on to a 2012 pilot program conducted by KPMG auditors. In this new program, OCR will select an undisclosed number of covered entities and business associates for HIPAA compliance audits.
The most important thing to know about the program is that the HIPAA audits will most likely be narrow in scope, focusing on a handful of specific issues OCR identifies as compliance problems. You might turn to the issues covered by recent HIPAA enforcement actions for some clues on audit subject matter. It would not be surprising to see audits focus on impermissible disclosures of protected health information, patient access to records and appropriate security controls.
Narrowing the scope of audits does allow OCR to cover a larger number of organizations, so expect audit notices to go out in greater quantities than during the pilot program. If you receive one of those notices, you should prepare just as you would for any other audit. Assuming your HIPAA compliance program is up to snuff, it would be a good idea to take a pass through your compliance plan and ensure all of your controls remain in tip-top shape.
Collect documentation in advance and be ready to provide quick answers to any auditor questions. The more put together your response is, the more likely the auditors will simply review your documentation and move on. When an organization struggles to provide answers and offers sloppy documentation, they're waving a red flag in front of the bull.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.