No HIPAA Audit Request Letter Last Week? Does That Mean I’m Safe?

On Monday, July 11, 2016, the Department of Health and Human Services’ Office of Civil Rights (OCR) sent out 167 e-mails for the first round selection of the HIPAA Desk Audits. Didn’t receive anything, take a big sigh of relief; however, don’t think that this means you no longer have to focus on HIPAA compliance or worry about an audit. Just because you were not picked, doesn’t mean your organization will not be selected for future audits or that a complaint or data breach won’t open an investigation with the OCR.

In June 2016, details regarding the OCR’s budget for 2017 were released. The OCR has a $43 million budget, in which they plan on increasing the team of auditors for the continuation of the HIPAA compliance audits. The healthcare industry needs to be prepared that HIPAA audits are going to be a constant in our world going forward. Also, remember that the goal of the audits is to assess compliance, determine new and upcoming concerns and risks to the healthcare industry, as well as be a platform to know what tools can be created by OCR to support compliance.

Biggest Lesson – DON’T STOP THE PREPARATION!

What can you do to continue to prepare:

• Complete a HIPAA risk analysis and complete it regularly
• Ensure you have all the necessary policies and procedures needed for HIPAA compliance
• Provide workforce training and security updates
• Establish a strong working process for identification and internal management of business associates
• Keep an up to date and current list of your business associates
• Evaluate current security safeguards and look at ways to increase the use of encryption and other technical safeguards
• Conduct proactive audits on access, use, and disclosure of health information

The HIPAA audit protocol provides specific detail on what the auditors will be looking for and evaluating each of the different requirements under the HIPAA protocol. It is similar to being given the answers to a test as you prepare for it. While it is long and challenging to follow at times, it is a great resource for covered entities and business associates as work towards HIPAA Compliance. Remember one of the big focuses is the creation of policies and procedures and proof of compliance in your organization. The term policy appears in the HIPAA protocol over 420 times! If that doesn’t send a message to organizations, I am not sure what else will!

Feel grateful that you were not selected, but don’t ignore HIPAA compliance. Use the extra time to finish getting your HIPAA compliance in order and help your organization feel confident about meeting the regulations and protecting the privacy and security of patient information.