2014 is here and that means the long-delayed U.S. Department of Health and Human Services (HHS) random audit HIPAA audits may be starting soon. As we shared in another recent post (“Rodriguez of OCR discusses HIPAA Enforcement, other topics,”) the Director of the HHS Office for Civil Rights (OCR), Leon Rodriguez, disclosed the start of the long-awaited random audit program would be in “early 2014.” He also shared that the ongoing program will include more entities and the audits will be more targeted than what we saw from the pilot program.
In a recent development, the HHS Office of the Inspector General (OIG) found that OCR itself failed in its obligations for oversight and enforcement of HIPAA. In particular, it has failed to implement the congressionally-mandated random audit program in a timely manner. While this was no news to those of us in the HIPAA community, the report of the OIG–available here— details the extent of the OCR’s noncompliance.
The report states that the OCR had not properly assessed risks, established priorities, or implemented controls for its Federal requirements to provide periodic audits to ensure the compliance of covered entities. In addition to failing to meet these requirements, they also missed opportunities to motivate covered entities to strengthen ePHI security and correct vulnerabilities on a widespread basis.
So, while the watchdog has been asleep, be advised that it is likely to wake up and begin these random audits any day. What does the start of the random audit program mean for your organization and how should you prepare?
- Make sure your organization completes a thorough risk analysis. Rodriquez has mentioned several times that many entities are still failing to conduct a thorough security risk analysis, as required by both Stage 1 and Stage 2 of the Meaningful Use Program. A thorough and professional risk analysis is a critical component of preparedness, so don’t put this step off any longer.
- Evaluate and implement any corrective action steps recommended by your risk assessment. Take action to correct any vulnerabilities before you get audited.
Consider conducting your own internal audit of your HIPAA compliance. Eagle Consulting offers a variety of HIPAA audits to help organizations assess their compliance.
