HIPAA Audit: OCR Is On The Move
Just when you may be thinking that your compliance and security needs are taken care of, here comes another thing to worry about: The HIPAA Compliance Audit Program. HIPAA Audits will be taken upon accordance with Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to ensure that covered entities and their business associates are in compliance with the privacy and security rules of the American Recovery and Reinvestment Act of 2009.
What are HIPAA audits?
HIPAA audits are part of the stringent enforcement action taken by the US Department of Health and Human Services’ Office of Civil Rights (OCR) to ensure that healthcare entities and their business associates are compliant with all HIPAA rules and regulations. In June 2011, HHS awarded a $9.2 million contract to KPMG for conducting and developing protocols for the HIPAA audits.
With OCR overseeing the program, HIPAA audits began in November last year. Within a short span, OCR extracted massive settlements and fines from a few entities including Cignet Health, which paid a $4.3 million civil fine, and Massachusetts General Hospital, which paid a $1 million settlement. Many more are expected this year with these audits likely to continue till 31st December 2012, or past that date if OCR has the resources to continue.
What will HIPAA audits entail?
As is the case with any type of audit or assurance process, HIPAA audits will involve a site visit consisting of interviews with stakeholders such as the CIO, legal counsel, and medical records directors. This apart, physical examination of the health information systems, daily operations, safeguards, adherence with HIPAA norms etc. will be an integral part of the audit. For instance, during the audit if the KPMG official finds a medical record or report left on a desk inadvertently, it will be seen as a HIPAA violation.
Following the site visit, KPMG creates a final report with details including the name and description of the audited entity, methodology used for the audit, observations made, and the final findings. The report also contains recommendations for a corrective action plan to address compliance problems or shortcomings if any.
How can you prepare yourself?
While HHS anticipates around 150 audits to be completed within this year, the chances of an individual entity being selected are low. However, considering the potentially dire consequences of HIPAA violation, you should assess your HIPAA compliance status and check your readiness for the audit. And in doing so, the best approach for you to prepare yourself is through policy reviews and self-auditing. For this purpose, you can make use of eGestalt’s SecureGRC, a self-assessment tool, that assists in identifying inadequacies in your security system through proactive assessment audits. It is a completely integrated solution with end-to-end automation for all your security, compliance, assessment, audit, and risk management needs. With built-in support for HIPAA/HITECH and PCI Compliance, SecureGRC can ensure that you’re audit-ready at any point in time.
Related posts
