Could Your Organization be Ready in 10 Days for an OCR HIPAA Audit?

Posted by John Dimaggio on Jun 14, 2016 2:49:52 PM

In OCR Random Audits

The Office for Civil Rights (OCR) is currently auditing Covered Entities and Business Associates to assess compliance with HIPAA mandated processes, controls, and policies. Organizations selected for an audit will have 10 business days to provide the requested audit information.  Could your organization respond in 10 days?

Based on the type of Covered Entity or Business Associate selected for audit, OCR will identify a subset of audit topics from among the 180 potential audit items. Since an organization has no way of knowing which of the 180 topics OCR will select, it is best to be prepared to demonstrate compliance with all 180 topics, and be prepared to do so with 10 days’ notice!

This OCR initiative is too new to have generated any meaningful statistics on how well healthcare organizations are likely to fare during an audit. However, based on the broad scope of potential audit topics, and OCR’s stanch audit objectives, indications point to substantial failure rates.

Using typical Gap Analysis and Risk Analysis findings from BlueOrange Compliance, some anticipated audit failing points are:

  • Failure to execute Business Associate Agreements;
  • Improper disclosure of PHI;
  • Failure to conduct Risk Analyses;
  • Insufficient evidence of an active risk management plan;
  • Lack of documentation for, or inconsistently enforced, HIPAA required policies and procedures;
  • Inadequate security awareness training for required personnel;
  • Failure to document and employ Breach detection, assessment, mitigation and reporting processes.

Bottom line- if your organization is not currently compliant with the requirements and implementation specifications of HIPAA Privacy, Security and Breach Notification Rules, 10 days will not be enough time to make any significant improvements.  The complexity of HIPAA Rules should not be under-estimated.  Complex, ever-changing regulations, increased vulnerabilities, implementation of new technologies and changes in business processes can make it difficult to achieve and maintain compliance.  Moreover, it can be very challenging to test, analyze and remediate your own security and privacy vulnerabilities without interrupting your day to day business operations.  Going forward, consider hiring a compliance partner that specializes in HIPAA Security, Privacy and Breach Rules.

For more information on the 2016 OCR HIPAA audits, download our OCR Audit eBook by clicking on the below link:

  Download Our OCR Audit eBook

BlueOrange Compliance has been providing privacy and security assessments, remediation, training and guidance since the inception of HITECH.  Our team is comprised of former healthcare IT executives and top security, privacy and technology analysts.  Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, LPCs, CCRCs, homecare, hospice and business associates.  If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com.