HIPAA Compliance Audits: Current Beliefs, Future Expectations

By the end of 2012, 115 medical organizations will be audited for HIPAA compliance. The results of these initial audits will affect how the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) will manage future auditing efforts. Susan McAndrew, the deputy director of OCR, stated that all health care groups scheduled for HIPAA compliance audits within 2012 were pre-warned.

On behalf of OCR, McAndrew also states, “We are committed to continuing the audit program and actively engaged in looking at alternative for moving this initiative forward. We have already seen the very positive impact the audit program has had on compliance efforts even as a pilot program and we want to build on the momentum that this effort has begun.”

Future of HIPAA Conformance

It sounds unlikely that any HIPAA compliance audits will be conducted in 2013. McAndrew reasoned that the program will not be able to proceed “until all final reports are issued” and the OCR completes the slow process of evaluating results.

A former OCR official by the name of Adam Greene indicates that the analysis process is extremely time-consuming. Furthermore, Greene points out that any resulting changes within the HIPAA audit program will require a substantial amount of time as well.

Preparing for a HIPAA Audit

This may come as good news to any health care groups that are not currently being audited. The HIPAA audit was mandated by the HITECH Act. Its purpose is to measure, analyze, and manage conformance with the HIPAA security, privacy, and breach notification regulations.

If your medical organization was not already audited by the OCR, here are some useful tips for preparation:

  • Regularly evaluate the status of the HIPAA compliance efforts your company has in place. Assess all security and privacy standards. Organize documentation of your policies and procedures in an easily retrievable manner.
  • Ensure any notice of privacy efforts is regularly updated. Include all new policy information during standard communication with patients.
  • Retain and organize all HIPAA-related documents to provide evidence of conformance efforts during an audit. Record and document all staff training on HIPAA regulations.
  • Identify and keep track of all business associates. This is more complicated than it may sound. Document any privacy agreements and training involved.
  • Designate a team in charge of responding to a HIPAA audit notice. You will have 15 days to locate and organize any necessary documentation. If a group of briefed professionals is already in place, things will run more smoothly when the event arises.
  • Frequently visit the HIPAA audit protocol website. Protocol changed within this year, and it will likely change again prior to your audit.
  • With so many updates, don’t let anything slip through the cracks. Find out why our EMR software has your back.