A new round of federal privacy and security audits will target the covered entities along with their business associates. HHS' Office for Civil Rights has started sending out e-mails to obtain and verify contact information for covered entities and business associates of various types for possible inclusion in the pool of potential audit subjects. OCR is planning to do several audits this year. Every covered entity and business associate is eligible for an audit. These include covered individual and organizational providers of health services; health plans of all sizes and functions; health care clearinghouses; and a range of business associates of these entities.
The first set of 2016 audits will be desk audits of covered entities followed by a second round of desk audits of business associates which will examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules and auditees will be notified of the subject(s) of their audit in a document request letter. The third set of audits will be onsite and will examine a broader scope of requirements from the HIPAA Rules than desk audits. Some desk auditees may be subject to a subsequent onsite audit.
So - covered entities are in Audit Lottery! Prepare for the audits:
- Make sure you have done a HIPAA security risk assessment within the last 12 months.
- Follow up on open areas and have a risk management plan in place.
- Check that your privacy notices and patient right of access notices are updated to avoid penalty.
- Ensure that all your employees have been trained on HIPAA Privacy and Security within the last 12 months.
- Maintain written documentation of your HIPAA Privacy and Security Policy and Procedures.
OCR has low tolerance on noncompliance and will be hard on entities that have recurring problems!
For more details, visit the HHS website at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html