Susan McAndrew, OCR deputy director for health information privacy, said in an interview with Information Security Media Group that the Office of Civil Rights (OCR) will resume its HIPAA compliance audit program. The audit program should resume in the coming months.
Hopefully in coming months you’ll see actual activity that will start up on the audit process
Covered Entities and Business Associates
McAndrew said that both HIPAA covered entities and business associates will be part of the audits. Approximately 800 covered entities and 400 business associates will by audited.
Up to 1,200 HIPAA covered entities, including health plans, healthcare clearinghouses and certain healthcare providers, and business associates, to determine suitability for the OCR HIPAA audit program.
Focus on Risk Assessments
OCR will focus the audits on whether or not an organization has conducted a timely and thorough HIPAA Risk Assessment.
Among the areas likely to be a focus of OCR examinations in 2014 is whether organizations have conducted a timely and thorough HIPAA security risk assessment, because that was a common weak spot found across the board in the pilot audit program as well as in previous breach investigations, McAndrew said
Omnibus Rule Changes
The audits will also focus on any organization’s adherence to the HIPAA Omnibus Rule which went into effect in 2013.
OCR is also “revising the protocol [for the next round of audits] to reflect changes brought by the HIPAA Omnibus Rule, which went into effect last year,” she said.
Are you ready for the HIPAA audits?
(Click on the links below for more information)
- Are you a Business Associate?
- Have you performed a Risk Assessment?
- Have you provided HIPAA security training for all employees?
- Do you have written policies and procedures on how to protect patient information?
- Do you have an incident response plan?
- Do you have Business Associate Agreements with your subcontractors?
Now is the time to get ready for the
HIPAA permanent audit program!