Recently I was asked about rumors regarding HIPAA Audits. The person that asked me did it in a jokingly matter similar as if he was asking about the last time I was visited by the Easter Bunny. The reality of this issue is that HIPAA Audits are real and if nothing they will be more regulars than in the past. After a two year Pilot program the Department of Health and Human Service (HHS) will roll out a permanent HIPAA Audit program. Per the HHS web site: “The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.
- The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
- The protocol covers Security Rule requirements for administrative, physical, and technical safeguards
As of March 2014 they have not incorporated provisions from the Omnibus Rule but I’m pretty sure that those are forthcoming. In the meantime they key issues to consider are:
The good news, we have all these topics covered in our Compliance Suite software so you can contact Taino Compliance or one of our Partners for more information. If you are up to a challenge you can do it yourself and get more information by going to: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html