Over at Healthcareinfosecurity.com there is an insightful article on the first HIPAA audits. Some highlights of the article include:
- In the pilot phase, OCR is auditing eight health plans, two claims clearinghouses plus 10 provider organizations, including three hospitals, three physicians’ offices, and a laboratory, a dental office, a nursing/custodial facility and a pharmacy.
- Letters to the first 20 audit subjects were mailed Dec. 1, and the organizations had 10 days to provide a long list of required information, McMillan says. For example, the hospital he’s advising had to provide copies of its HIPAA privacy and security compliance policies as well as its plan for complying with the HIPAA breach notification rule.
- The letter to the Texas hospital indicated that three to five auditors would likely spend five business days at the facility, McMillan says. Larger organizations, he notes, can expect a visit that could last up to 10 days.
- Greene expects that KPMG, the consulting firm hired to conduct the audits, will work with OCR to “revisit the audit protocol” and make adjustments once the first 20 test audits are wrapped up. OCR officials say most of the rest of the audits will “go out in the field in the second half of 2012.”
Some of the key takeaways from the article are:
- The first 20 audits have been selected. The remaining 130 audits will be conducted in the second half of 2012. That gives organizations little time to get their HIPAA house in order. Clearly this something healthcare organizations, of all sizes, need to take seriously.
- With auditors spending 5 days at an organization you can imagine that this will be a thorough review. I think it is safe to assume the auditors will ask to review the HIPAA policies and procedures, latest risk assessment, security incident response plan, breach notification plan and employee training plan.
- Having just 10 days to respond to the auditors’ request for information leaves no time for an organization to scramble to put this together. If you don’t have the information prior to the request, 10 days will not give you enough time to compile this information. Imagine the conversation trying to explain that you don’t have policies and procedures or you have not conducted a risk assessment.
The chances of an organization being selected as part of the next 130 audits are very low. Most organizations would like the low odds of being selected but I am sure the initial 20 organizations are experiencing a very stressful time right now. HIPAA compliance requires work but ignoring the requirements could lead to very unwanted outcomes. The fear of audits and substantial fines are very real.