HIPAA Audit: OCR Is On The Move
With the OCR not indulging in follow-up questions this time around, healthcare enterprises are deprived of the opportunity of clarifying matters with the auditors. Your policies and procedures therefore need to speak for themselves, and sufficiently demonstrate your compliance levels. Yes, documentation is more important than ever in the Phase 2 of the HIPAA compliance audits. Privacy attorney Adam Greene believes that’s if you’re a well-organized organization, these “desk audits” are bound to make things considerably easier.
In Phase 2 of audits planned to begin this fall, the OCR plans to conduct HIPAA compliance audits for about 350 covered entities that will focus on specific areas of HIPAA compliance, and 50 Business Associate audits that will focus on compliance with the risk analysis and breach notification requirements. Being a more streamlined process, organizations are to be given about two weeks to submit requested information to OCR, after being notified of an audit, and the importance of carefully following instructions when submitting documentation can’t be emphasized enough. Greene goes on to explain that as the OCR has indicated they are not looking to receive unrelated information, and presenting such information could possibly hurt someone’s chances in the audit. As the OCR only wants to see what it’s requesting, it is important to ensure that you do just that – nothing more, nothing less.
The Phase 2 of the HIPAA compliance audits are tied to potential enforcement action, like settlement agreements for HIPAA violations, and many organizations may find it difficult to respond to a request for information for an audit. Greene advises such organizations to consider bringing in outside counsel, particularly as an audit could run into a settlement action at a later point. It is also essential to ensure no unnecessary admissions during the audit process.
This phase of the HIPAA audits are unlike the comprehensive HIPAA compliance audits that were conducted earlier and will be just “desk audits” performed remotely by staff of the Department of Health and Human Services’ Office for Civil Rights. It is imperative that your enterprise is more just prepared. Implementing a comprehensive security solutions such as Aegify Security Posture Management or Aegify SecureGRC can ensure that facilitate you are ready to face this round successfully. Aegify SecureGRC has built-in policies, procedures, and frameworks for HIPAA compliance, and can greatly simplify the process of compliance and dramatically improve the security posture of healthcare entities.
Related posts
