Susan McAndrew, deputy director of The HHS Office of Civil Rights (OCR) gives a very insightful interview to Howard Anderson, Executive Editor, HealthcareInfoSecurity.com. There are a lot of good points and I suggest reading the whole interview. I will point out a few of the highlights.
When asked about who will be audited, McAndrew was very careful to not let too much out but did make a very insightful point:
“And then we will be looking for meaningful ways of targeting the audit [candidate] selections … true to the typical audit protocols. … It will not be totally random … but this [audit program] will not be incident-driven, unlike the current investigations and compliance reviews that we do. This is an opportunity for us to select on a more random basis who we will be looking at. …”
The key point here is that the audits will not be incident-driven so that means that even if an organization has no security breaches or HIPAA issues they are now at risk of an audit. Although the risk is still very low based on the fact that there are only 150 planned audits by the end of 2012.
On the question of whether the audits will focus on covered entities only or will also target business associates:
OCR has not yet determined whether it will audit business associates as well as covered entities, such as hospitals, clinics and health insurance plans. Nevertheless, KPMG will develop protocols to support business associate audits.
As of now you can’t count out that business associates will also be targeted.
McAndrew goes on to give some insight into what they are looking for in the audits, how will they notify the organization that is being audited and how they will share the information from the audit.
Audits initially likely will offer comprehensive assessments of compliance with the HIPAA privacy and security rules, rather than focusing on specific narrower issues.
OCR will provide advance notice to entities selected for the audit process and advance requests for documentation. “The model that we’re testing is your typical onsite audit,” McAndrew says. Draft audit reports typically will be shared with the organization before they are completed, and responses will be incorporated in the final report.
A decision on exactly how to inform others about the results of the audits has not yet been made. “There can be great learning by others from these audit reviews. I’m hoping, certainly, that it will lead to the ability to publicize best practices and effective corrective action … and that we can expand the impact on compliance … by making this information public,” McAndrew says. But OCR has not yet determined whether it will publish individual audit reports or summary reports on trends identified in all the audits.
Finally, she give organizations some good advice to start looking at their compliance, implement policies and procedures, perform a risk assessment to and to develop a breach incident response plan.
McAndrew encourages healthcare organizations to prepare for the audits by taking several steps, including reviewing their privacy and security policies and procedures; ensuring that they’ve documented patient information safeguards; completing an updated risk assessment; and developing a breach incident response plan.
One thing is for certain, the HIPAA audits are coming. Now is the time to prepare!