Last year, the Office for Civil Rights (OCR) said it planned to audit 200 control entities and then follow up with 400 business associates in 2015. Officials there also said they had over 6,000 complaints last year. During an April 15, 2015 session at HIMSS, an official from the Department of Health and Human Services said that the next round of HIPAA audits is under development. There was no timeline given.
Since OCR had a change in leadership last year, there has been a lot of speculation concerning whether that is part of the reason the audits have not started yet. We all know it takes time for new leadership to settle in, and OCR does appear to be staffing up for the audit program. They are also anticipating 15,000 to 17,000 HIPAA complaints in 2015. While we wait to see when the audits will start, we need to learn from the last round of audits and be prepared.
The first round of audits found that most of those who were assessed didn’t conform to the HIPAA standards in three primary areas. They also showed that two-thirds of the covered entities had not performed a risk assessment.
The biggest reason these areas were not in compliance was because they were unaware. Given the amount of time that we all have while we wait, none of us should be “unaware” of any requirements. We all need to take this extra time to make sure we have done our risk analysis. Then we need to look at our risk analysis and perform the steps needed to clear up any issues we might have. If you haven’t reread all your policies since Omnibus, now is a great time to do it.
I know that for me, it’s easy to put things off when I have what appears to be a lot of time. Following a self-imposed schedule to make sure your HIPAA program has stayed up to standards could allow you the opportunity to find something that is wrong before the government does.
No related posts.