Announced in the spring of 2014, scheduled to begin in late 2014, OCR announced this week that a second round of HIPAA Audits (following the original 2012 audits) has finally begun.
I have written over the last two years that audits were imminent. I admit it felt like crying wolf at one point. But my insistence all along has been to urge you, our readers, as I we do our clients, not to wait for OCR auditors to come calling.
Going To to Toe with Cybersecurity Risks
Federal Officials are not your opponent. You are more likely to find yourself facing off with cyber threats from malware and increasingly dangerous ransomware. But the real fight you are up against comes from carelessness in your internal processes, negligent or even nefarious employees, or weakness in your systems. Audit or no audit, you could are likely to find yourself sparring with some big challenges. Best to be prepared.
The Audit Process Begins with an Email Letter
Initial notification letters were sent to a sample of about 200 covered entities and business associates this week. If your company receives a letter, you have ten days to reply with some basic information.
Here is a sample of the letter sent by email which officials warn your email system’s spam blocker could pick it up. Spam filtering will not be an excuse for missing it.
Following the initial notification, more detailed questionnaires will be sent to the selected organizations. From these questionnaires, an unspecified number of desk audits will follow for both covered entities, first, and then for selected business associates.
When desk audits are completed, the company will receive a draft of auditors’ findings and will then have an opportunity to responds. A final report will include the organization’s response.
Finally, onsite audits will take place in 2017 for a subset of the sample of organizations.
If you receive a notification letter and you’re lucky enough to be part of this process, don’t panic. Hopefully, you have taken the necessary compliance and security steps in recent years, maintained good documentation, and you just need to respond in a timely manner that may be the end of it. Of course, if you received a letter and you are not confident in your organization’s ability to respond or are concerned, once you respond, about facing a desk audit or, down the road, a possible onsite audit with officials, contact us right away and we can still try to help you get ahead of it.
