HIPAA Audits Postponed but OCR is Still Serious About Enforcement

ComplianceUpdate: HIPAA Round Two Audits Postponed

Early in 2014, the Department of Health and Human Services’ Office of Civil Rights announced a second round of Compliance Audits set to kick off in the fall. As summer has flown by and we find ourselves barreling head first toward the holidays, and the promised audits have not begun.

Last week, OCR official Linda Sanches announced that the next round of compliance audits has been postponed while the Department makes some upgrades to technology that will better facilitate the process.

The chances of your organization being chosen for a random audit were relatively small anyway. Unless you have suffered a breach, you likely would not have been (or will not in the future be) selected for one of the approximately 1,200 planned audits of covered entities. That’s not to say that you should not have prepared just in case. And that’s also not to say, with the audits on hold, that you can relax and not be as proactive about HIPAA or as diligent about documentation.

Should You Relax? Quite the contrary!

There is no indication that this announcement is any more than a delay of the inevitable audits. Whether your organization is caught up in this round or not, you may still find yourself answering questions from OCR if you suffer a breach or if you are subject to an audit outside the planned compliance checks.

It is important to note that Meaningful Use audits have not been put on hold. In fact, they have been more aggressive. Providers who have filed for Meaningful Use are more likely to be audited and these audits will include a review of their Risk Assessment.

Every indication is that OCR is ramping up, not slowing down enforcement. The prevailing feeling is that organizations have had time to implement all the privacy and security provisions of the HIPAA final rule, regulators’ patience seems to have been exhausted, and penalties are going ever higher. Do not let the news of postponed audits fool you into taking your foot off the gas. OCR is still making it clear that they mean business.

Documentation Protects the Company and Makes the Audit Process Easier

With our clients who have undergone a recent audit, we have seen first-hand how OCR is dealing more strictly with Risk Analysis enforcement. Auditors have been clear that they expect to see an up-to-date risk analysis as well as a diligently documented review of remediation steps taken since the prior analysis.

From one OCR auditor:
“The measure states that, ‘a new review would have to occur for each subsequent reporting period.’”

For many of our HIPAA-regulated clients, this underlines the importance of doing monthly status reports to help document remediation activities. It also points to the need for annual assessments or, when a full assessment may not be needed, at least conduct a conformance assessment to document the company’s best efforts and progress toward remediation or compliance.

Contact Loricca TodayIf your covered entity or business associate organization has not had a recent Risk Analysis or if you do not have a process in place for reviewing and documenting your remediation steps along the way, please do not be lulled into thinking OCR will not someday come around asking the tough questions you may not be prepared to answer. We can help you begin to take the steps and assemble the documentation that will prepare you for the prospect of an audit. Contact us today for help.

Subscribe Today to receive our monthly email newsletter
including new blog articles, news, and security awareness tips!