HIPAA Audit: OCR Is On The Move
According to the Department of Health and Human Services’ Office for Civil Rights (OCR), healthcare entities are estimated to spend 3.28 million hours to comply with the modified HIPAA Omnibus rule. As per a notice published in the Federal Register, out of these 3.28 million hours, nearly 30.655 hours would involve the dissemination and acknowledgement of privacy practices at provider offices.
When the new HIPAA Omnibus rule was unveiled, Kathleen Sebelius, the HHS Secretary stated that the healthcare sector has changed considerably since the first HIPAA rule was enacted 15 years ago, and hence the new rule is expected to protect the health information of patients and safeguard their privacy in this ever expanding digital age. However, achieving compliance with this final HIPAA rule is expected to be a highly time-consuming process.
The Estimations
The notice published in the Federal Register breaks down the time that will be spent for each function as follows:
| Function | Estimated Time |
| Documenting security procedures that are in place | 350,000 hours |
| Establishing/Modifying agreements with business associates and subcontractors | 125,000 hours |
| Revising language in privacy notices for health plans | 167 hours |
| Disseminating notices for health plans by paper mail | 416,667 hours |
| Disseminating notices for health plans by electronic mail | 278,333 hours |
This notice, which was submitted in compliance with the Paperwork Reduction Act of 1995 for approval by the Office of Management and Budget, further states that approximately 619,000 hours will be spent on ‘new burdens’ associated with the HIPAA Omnibus rule, most of which will be repeated annually.
With the audit program set to begin soon, IT security experts recommend that healthcare providers be prepared with documentation collected in a central location. A solution like Aegify Security Posture Management or Aegify SecureGRC can help healthcare providers to prepare themselves well ahead of the audit and successfully demonstrate compliance. But more importantly, these platforms can help them dramatically bring down the time spent on each of the above-listed functions with built-in frameworks and best practices for HIPAA Omnibus compliance, thus optimizing the time spent on compliance and adding great value to their organizations.
Related posts
