OCR to Resume HIPAA Audits. Get Ready Now!

Explore:  Audits HHS HIPAA OCR

In a Feb. 24 notice in the Federal Register, the HHS's Office for Civil Rights (OCR) announced its intention to resume its HIPAA Audit Program.  By and large, the audit program has been inactive since December 2012, when OCR concluded its pilot audit program.  

In the notice, OCR proposes to survey up to 800 HIPAA covered entities (health plans, healthcare clearinghouses and healthcare providers), and 400 business associates.  OCR expects to use the survey to gather information including, among other things, recent data about the number of patient visits or insured lives, use of electronic information, revenue and business locations.  According to the notice, OCR will then use the information to verify if the entity is a suitable candidate for a HIPAA audit.  While all those surveyed are not expected to be audited, OCR is declining to say how many organizations are likely to be actually audited.  Accordingly, all covered entities and business associates should be prepared.  

One of the primary focuses of the resumed audits is expected to be whether covered entities have conducted timely and thorough security risk assessments as required under HIPAA. According to the OCR, about two thirds of covered entities audited in 2012 failed to conduct appropriate security risk assessments. Security risk assessments have been required under HIPAA since April 2005 and are a core requirement under the Medicare and Medicaid EHR Meaningful Use incentives.  

Whether you've done your risk analysis or not (and annually review it, too), HHS has recently developed a tool to help providers comply with this requirement.  The Security Risk Assessment toolbox is designed to help small to medium sized health care providers conduct and document a risk assessment.  It’s important to note that use of the new tool is not mandated by OCR or under HIPAA - there is no standard template for what a risk assessment should look like, since it's entirely dependent on the specific facts of the specific entity.

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Brown Law Firm | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.