At the Healthcare Information and Management Systems Society (“HIMSS”) Privacy and Security Forum this week, health information privacy senior advisor for the Office for Civil Rights (“OCR”) Linda Sanches revealed certain additional information about upcoming HIPAA audits.
- HIPAA audits have been delayed due to an internal technology update within OCR. This technology will make audits less labor intensive for OCR officials when they do occur.
- OCR still plans to use a pre-audit screening process to select auditees.
- During the next round of audits, OCR initially planned to conduct 400 desk audits and a certain number of on-site, comprehensive audits. Now, OCR plans to conduct fewer than 200 desk audits.
- Several hundred entities have already been selected for the pre-audit screening process; OCR is currently verifying their contact information.
- During each Covered Entity audit, OCR will look for: policies and procedures and evidence of their implementation; proof of periodic risk analyses; and a complete list with contact information of Business Associates utilized. OCR will then select Business Associates to audit from these lists provided by the Covered Entities.
- OCR seeks to audit various types of Covered Entities, and within each group, will audit a random geographic distribution of small and large entities.
- OCR is especially focused on the completion of risk analyses, since through performing such analyses, entities identify risks to Protected Health Information (“PHI”) and learn what corrective action is needed.
Entities are encouraged to shore up their HIPAA compliance programs in advance of the audits commencing. In particular, if any entities have not performed a recent risk analysis, they are encouraged to initiate that process.