OCR Announces HIPAA Audit Program

Don’t get caught unprepared!

On November 8th, the Office for Civil Rights (OCR) officially unveiled its long anticipated audit program. These audits, mandated by Section 13411 of the HITECH Act, are intended to “ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.”[1]

If your organization has not been keeping up with recent changes to HIPAA Privacy and Security Rules, you may be unaware of significant new requirements for covered entities and business associates, such as breach notification, and the drastic overhaul of the enforcement process including a tiered penalty plan.

Audit 101

Beginning November 2011, and concluding December 2012, OCR will complete a pilot audit program of 150 covered entities to “assess privacy and security compliance.” If selected for an audit (and OCR indicates they intend to audit a broad range of covered entities and business associates), the organization will be notified in writing and provided with an initial documentation request. All documentation must be submitted within 10 business days. The audit will include an onsite visit expected to take 3 to 10 business days. The auditor will generate a report, which the organization will review and will have 10 days to submit their written response, including actions they have taken to resolve any compliance issues. A final report will be submitted to OCR, which will develop recommendations and evaluate the need for corrective actions. Note: Compliance audits may also occur as a result of a Privacy or Security Rule complaint.

How to be prepared

  1. Your compliance officer should review your HIPAA compliance plan. Have you implemented the new requirements, such as Breach Notification, enacted by the HITECH Act?
  2. Review and update policies and procedures. These documents are required and are a primary method to demonstrate compliance with the Rules.
  3. Review and/or complete a Risk Assessment as required. This should include a technical and nontechnical review of the information system. Failure to complete the required analysis may be considered willful neglect under the new tiered penalty plan.
  4. Review or develop a process to identify, document, mitigate and report privacy and security incidents including the required breach notifications.
  5. Review and update Business Associate contracts. Remember that Business Associates are now required to comply with portions of the Privacy and Security Rules.