Back in August, I blogged about the upcoming 2011 HIPAA Violations and Audits, and news of the government’s $9.2 million contract with auditing firm KPMG. Now that the OCR has officially launched its HIPAA Audit Program, even more relevant information has been released:
- Who: Every covered entity and business associate is eligible (although the program site states that “Business Associates will be included in future audits,” suggesting they won’t be addressed in this audit). HHS.gov states that the OCR may consider covered individual and organizational providers of health services, health plans of sizes and functions, and healthcare clearinghouses may be considered as well.
- What: OCR is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance.
- Why: To satisfy the American Recovery and Reinvestment Act of 2009 (ARRA) Section 13411 of the HITECH Act and to check compliance with HIPAA Privacy and Security Rules and Breach Notification standards.
- When: November 2011-December 2012.
Three Steps to the HIPAA Audit Process
- Staged in a three-step process, the first step was developing audit protocols.
- The second step will be the initial wave of audits in November 2011. This step will help shape how the rest of the audits will be conducted.
- Finally, the third step will be the full range of conducted audits.
How Will the Audit Program Work?
- Entities selected for an audit will be notified by the OCR and will have to provide documentation of privacy and security compliance efforts.
- Every audit requires a site visit and an audit report.
- Site visits will include interviews with key personnel and general observation of processes and operations to help determine compliance.
- After the site visit, auditors will give the entity a draft report showing how the audit was conducted, audit findings, and what actions the entity is taking in response to the findings.
- Before the report is finalized, the entity has a chance to discuss concerns and describe corrective actions taken to address those concerns.
- Final OCR report will include the steps the entity has taken to resolve compliance issues and describe the best practices of the entity.
Simplified Audit Schedule
2011-2012 HIPAA Audit Timeline
What is the OCR Planning to Get From These Audits?
The OCR will use the audit reports to determine what types of technical assistance needs to be developed and what types of correction action are most effective.
Need More HIPAA Guidance?
If you’re not sure if your hosting solution is HIPAA compliant, or if your patient health information (PHI) is being secured in a HIPAA compliant data center, check out the Five Questions to Ask Your HIPAA Hosting Provider to get informed.
Looking for more information on the latest HIPAA ongoings? Check our HIPAA compliance blog category, HIPAA FAQ, or watch our recent HIPAA webinars to get educated on what you need to be HIPAA compliant.