The HHS Office for Civil Rights (OCR) announced yet another delay in the start of the long-awaited HIPAA Audit Program. This time, a technology upgrade is to blame.
In June, we blogged about the OCR’s plan for Phase 2 of its audit program, which was projected to include 100 Privacy audits, 100 breach audits and 150 security audits. Healthcare providers were to represent 2/3 of the covered entities to be audited. Business associates were projected to represent an additional entities, with those audits in 2015.
Entities who received an address verification letter in the spring were supposed to receive audit letters in the fall. However, due to an upgrade to the online portal used by OCR to collect information from those being audited, this process has been delayed. OCR is “ready to go,” they are just waiting on the technology that will make the process of analyzing the data less labor intensive.
As a result, the total number of desk audits originally projected at 400 has been decreased to fewer than 200, according to OCR Senior Advisor, Linda Sanches, as reported by Health IT Security in this article. Sanches, who heads up the health information privacy, security and breach notification audit program mandated by the HITECH Act, is in charge of OCR enforcement, policy, and outreach, shared an update about the audit program at the recent HIMSS Privacy and Security Forum.
Sanches also responded regarding how entities will be selected. A variety of entities, such as hospitals, physician practices, dental offices (and more) will be selected from the NPI database. Then that group will be narrowed to represent a random geographic distribution between small and large providers. Those selected may have already received email verification notices and soon will be sent a prescreening. We’ve heard about this pre-audit survey before now know that this screening tool will also rely upon this portal technology.
Sanches, in her interview at the forum, provided the following advice to covered entities:
- Complete a thorough and professional risk analysis. Auditors will be looking for “period risk analysis and evidence of compliance, as well as documentation of policies and procedures being in place.” She emphasized the value that having a thorough risk analysis and updated HIPAA policies can have as the foundation of a HIPAA compliance program.
- Know your Business Associates. Auditors will be asking for the complete list with contact information and the services they provide your organization. They’ll be using these lists to select BA’s for HIPAA audits.
- Use encryption to prevent breaches. Most OCR enforcements involve not doing a thorough, periodic risk analysis, which would analyze your encryption practices. Theft and loss continues to be one of the greatest causes of privacy breaches, and encryption is an easy and affordable tool.
We’ve heard most of this advice before, but it never hurts for you to be proactive. Once the audits begin and a letter is received by your organization, you’ll only have two weeks to respond.
