If you didn’t receive a HIPAA pre-audit questionnaire from the U.S. Department of Health and Human Services Office of Civil Rights (OCR) last summer, you likely breathed a heavy sigh of relief. But don’t rest easy just yet, as your audit reprieve could be short-lived.
Approximately 400 audits are coming, and organizations selected to be audited will have only 15 days from the date of notification to provide the requested documentation. Yes, you read that correctly: only 15 days. Because they will be audited on what was in place at the time of the notification letter, it is more important than ever that an organization’s risk assessment is continuously up to date, and that its policies and procedures reflect what they are doing before they get a letter. The same now applies to the organization’s business associates.
Organizations not selected for an OCR audit must still be prepared in case of complaints and subsequent compliance reviews, for which the OCR has stated it plans to significantly increase investigations. For organizations that have been audited in the past, it should come as no surprise that the OCR will pay special attention the compliance issues it identified in its previous round of audits.
Has your organization experienced internal changes recently? It’s possible that certain internal changes will trigger a new look at risks. For this reason, be sure to take a careful assessment when implementing changes to information systems, especially when those changes involve updates to web-based applications or portals used to provide access to consumers’ health data using the Internet.
And while high-profile data breaches with massive fines are rare, OCR investigations can still result in substantial penalties. Health care organizations and their business associates can expect the number and cost of investigations to continue to rise, and OCR will continue this uncompromising enforcement posture well into the future.
For more information, please download: “Privacy & Security Audits: How to Prepare and Ensure Compliance” from the editors of FierceIT.