HHS Initiates New HIPAA Audits

HHS Initiates New HIPAA Audits

 

Practices should not ignore any email from the HHS Office for Civil Rights (OCR) as the agency announced that it has started the next phase of audits of HIPAA covered entities and business associates. The emails have been sent to verify contact information. If an entity does not respond to OCR's request to verify its contact information or to complete a pre-audit questionnaire, the entity may still be selected for an audit or subject to a compliance review.  Additionally, OCR expects entities to check junk or spam email folder for emails from OCR.

Many of the audits will be "desk audits" as opposed to on-site audits. OCR will review policies and procedures to determine whether they meet certain standards and specifications of the HIPAA Privacy, Security and Breach Notification Rules. The audit itself is intended to work as a compliance tool as well as to identify best practices for compliance.

OCR has an audit protocol on its website and anticipates posting later this year an updated version that will reflect requirements newly established in 2013 with the HIPAA Omnibus Rule. The audit protocol can be used by entities to conduct their own internal self-audits.

More information on the audit program is available on the HHS website. CPMA Members have access to HIPAA compliance assistance materials here