2016 HIPAA Audit Selection Process

Posted by John Dimaggio on Jun 1, 2016 4:17:52 PM

In OCR Random Audits

The new HIPAA audits are currently underway, targeting healthcare organizations as well as Business Associates.  Conducted by the Office for Civil Rights (OCR), the audits are intended to assess compliance of the HIPAA regulated industry, with a focus on selected specifications of HIPAA Privacy, Security, and Breach Notification Rules. Every Covered Entity and Business Associate is eligible for an audit. So how will you know if your organization has been selected?

The process begins with an email from OSOCRAudit@hhs.gov that requests verification of Entity contact information. Once contact information is obtained, OCR will send a Questionnaire for the purpose of gathering demographic data. The demographic data collected from the Questionnaire will then be complied to create a pool of audit candidates, likely representing a wide range of organizational sizes, types and geographic locations.  Audit candidates will then be randomly selected from this audit pool.

It is important to note that your system may incorrectly classify emails from OCR as spam, so monitor your junk or spam folders closely.  Ignoring the Information Verification email or the Questionnaire (or not locating this OCR communication in your spam folders) will not keep your organization from being entered into the audit pool. OCR will use public information about Entities that do not respond when creating the audit pool, and therefore a non-responding entity may still be selected for audit or be subject to a compliance review.

If your organization received the OCR Questionnaire, it has been included in the Audit pool and is subject to a potential audit. Start preparing immediately (see the OCR Audit eBook link at the end of this article for tips on how best to prepare for a pending audit).

If your organization did not receive the OCR Verification email or Questionnaire (after having verified this through spam folders) you are likely not in the initial audit pool.  However, this does not mean your organization is “safe” from audit, because OCR will use these very audit findings to determine where to focus ongoing enforcement initiatives.  Additionally, it just makes sense to achieve and maintain HIPAA compliance, as all Covered Entities are subject to random HIPAA audits, as well as audits resulting from a complaint or security breach.

For more information on OCR audit selection processes, or to learn about the actual audit process, anticipated failing points and best practices for audit readiness, download our OCR Audit eBook by clicking on the below link:

 

 Download Our OCR Audit eBook

 

BlueOrange Compliance has been providing privacy and security assessments, remediation, training and guidance since the inception of HITECH.  Our team is comprised of former healthcare IT executives and top security, privacy and technology analysts.  Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, LPCs, CCRCs, homecare, hospice and business associates.  If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com.