The HIPAA compliance audit program seems to be all set to resume this year, as the Department of Health and Human Services’ Office for Civil Rights gears up with auditors to examine business associates and covered entities. In the 2014 HIMSS Conference held on February 24, Susan McAndrew, the OCR Deputy Director for Health Information Privacy, said that actual activities to start up the audit process will commence in the coming months.
OCR will soon launch a survey of 1200 organizations as the first step towards selecting those to be audited. Organizations that would undergo the audit will be chosen from a large database, and the survey is intended to verify details such as whether the organization is still in business, and is genuinely the healthcare entity indicated in the database, etc. These details will not only help OCR determine if the entities chosen are suitable for the audit, but also give them a good idea of the size and complexity of the entity. Amongst other things, the survey is aimed at collecting recent data about the number of patient visits or insured lives, use of electronic records, business locations, and revenue.
Although McAndrew did not disclose the number of organizations to be audited, she said that the 1200 surveyed organizations will be an oversupply as not all of them will end up being suitable candidates. According to an OCR spokesperson, the survey will be targeting nearly 800 covered entities and 400 business associates.
OCR, with the help of KPMG had conducted a pilot HIPAA audit program in 2012, involving 115 covered entities. However, according to McAndrew, the next round of audits will be in-sourced. But details such as whether OCR will conduct these audits by training the existing staff or by hiring new auditors, and whether these activities will be carried out from the regional OCR offices or from the central office, are still unclear.
Focus Areas for Upcoming Audits
According to McAndrew, one of the primary areas of focus in the 2014 audits will be whether covered entities have conducted timely and thorough security risk assessments as per HIPAA requirements, because this was one of the common weak spots found during the pilot audits as well as previous breach investigations. Moreover, the upcoming audits will have a revised protocol to fit the changes brought about by the HIPAA Omnibus rule that came into effect in 2013.
So the time is ripe for healthcare entities to do a reality check and prepare themselves with thorough risk assessments. Comprehensive security management solutions like Aegify Security Posture Management and Aegify SecureGRC can prove handy at this juncture, and help entities face the upcoming audits with confidence.