Have you started preparing for a HIPAA compliance audit? Will you be able to supply compliant documentation to OCR auditors if your organization is selected for an audit later this year?
Time to Start Preparing for a HIPAA Compliance Audit
The Office for Civil Rights (OCR) will be auditing covered entities later this year and assessing compliance with the HIPAA Privacy, Security, and Breach Notification Rules.
The first round of HIPAA compliance audits took place in 2011/2012 and were more general in nature. The second phase of audits will be narrower in scope and will cover many of the aspects of HIPAA that have proved problematic for covered entities in the past. While narrow in scope than the first phase, there as still many aspects of HIPAA that could be assessed and extensive documentation may be requested by OCR auditors to demonstrate compliance. Covered entities have recently been advised to start preparing for a HIPAA compliance audit now in case they are selected for audit.
The OCR has already sent emails to covered entities requesting contact information and is in the process of updating its database of covered entities. The pool of eligible covered entities is almost complete and the next step will be to select a geographically representative sample of covered entities for audits. The audits will be conducted on healthcare providers, health plans, and healthcare clearinghouses of all sizes.
If selected for audit, covered entities will not have long to prepare documentation to send to the OCR. Documentation requests will be sent by email and covered entities are expected to respond and upload documents to the OCR website within 10 days.
Deven McGraw has suggested that covered entities should start preparing for a HIPAA compliance audit now in case their organization is selected. McGraw recommends covered entities should use the OCR audit protocol as a guide to the types of evidence of HIPAA compliance that they may be asked to produce.
By working through the audit protocol, covered entities can ensure that documentation exists and is readily accessible and can be supplied quickly. McGraw says that this can be used as an exercise to self-test for HIPAA-compliance. The audit protocol for the second round of HIPAA compliance audits can be viewed on this link.
HIPAA compliance audits will take place after OCR auditors have completed the desk audits on health plans, healthcare providers, and healthcare clearinghouses. The OCR must go through the same process of verifying contact information and forming a pool of suitable business associates. While business associates have a little more time to collate all of their HIPAA documentation, they should start checking their compliance efforts now to ensure they can respond quickly if selected for audit.