Chat with us, powered by LiveChat

HIPAA Security and Audit Survival Guide


Image source: Purple Slog








In 2012, the Department of Health and Human Services Office for Civil Rights (OCR) conducted on-site pilot audits during its first round of their HIPAA compliance audit program. A consulting firm OCR hired performed 115 pilot audits during that year. Starting the end of this year or beginning of 2015, OCR is resuming their HIPAA compliance audit program with its second round of audits — performed by OCR staff this time — that will address some red flags OCR found with security issues during 2012 (Slide 2).

What You’ll Be Audited On

This time around, OCR’s random audit of 350 covered entities and 50 business associates will assess the selected organizations’ compliance with the HIPAA privacy, security and breach notification rules. If you’re a covered entity, OCR’s focus is going to be on risk analysis and risk management (security rule part), the material and timeliness of breach notifications (the breach notification rule part) and the notification of privacy practices updates to changes in the HIPAA Omnibus Rule and access to rights (the privacy rule part). If you’re a business associate, their focus is on security risk analysis and risk management and breach reporting to your covered entities.

A desk audit involves you submitting certain content and documentation demonstrating the scope and timeliness of your efforts to comply with HIPAA and its rules. Only send the information asked for and send it on time! Auditors won’t ask you for clarifications or for more information. They’re only going to work with what they have and make their compliance decision off that. If you don’t respond with a submission, you’ll most likely receive a more formal review from the OCR.

When resources are available, OCR will conduct more comprehensive on-site audits (Slide 6), more focused on privacy, in 2015 and likely into part of 2016.

How You’ll Be Notified

OCR is sending close to 1,000 address verification letters (Slide 3), and then from this list, they’re sending a formal audit notification letter to the selected entities. You won’t be sent an email saying you’re being audited, so don’t be tricked by scammers who might send those. If you’re a business associate, OCR will select you from among those of you acknowledged by your covered entities.

How To Ensure You’re Prepared

Your organization’s focus should be protecting the privacy and security of PHI and reducing the probability of a breach. Passing an OCR audit should be the result of an effective compliance culture, not your aim on goal. Here are things you can do to ensure you’re prepared for HIPAA compliance, and in turn, are ready for an audit:

  • Document your security, privacy and breach policies and review and update those policies periodically.
  • Regularly perform a security risk analysis to find any vulnerable areas and create an action plan to fix these possible vulnerable areas.
  • Update your risk analysis and risk management plans if they haven’t been updated in 2+ years.
  • Keep an organized archive of the business associates affiliated with your organization. Update your agreements with them when changes are made.
  • Train your staff so they understand the importance of maintaining a culture of HIPAA compliance and know the required steps to take to protect the PHI your organization handles.

Why is OCR cracking down with their audits? According to David Holtzman, a former senior advisor at OCR, “the healthcare industry is a generation behind banking in safeguarding information.” In 2013, the healthcare industry saw a 138% increase in the exposure of sensitive records, as well as a 20% increase with medical identification theft (Slide 8).

No one looks forward to an audit. Audits are time-consuming and can be uncomfortable to endure. But no one wants to experience a security breach either, and the effects of a breach are much worse to endure than an audit. If you’re already HIPAA compliant, then you’re already prepared to survive an OCR audit.

Speak Your Mind