Recent news that the Office for Civil Rights is delaying Phase 2 of its HIPAA Audit Program might tempt some organizations to breath a momentary sigh of relief, but taking your foot off the pedal would be a big mistake. Here are four big reasons why organizations should be making good use of the extra time afforded by OCR’s late start.
1. The actual length of the delay is unknown.
All that has been reported is that OCR will delay the start of the audit program. No one knows how long the delay will be. You may have less time than you think before your organization gets a call.
2. When the audits do kick off, they are going to be more intensive.
OCR has also announced that it is changing the overall approach for the audits. Instead of conducting 400 desk audits, OCR is now planning to do more on-site, comprehensive audits while trimming back the number of targeted desk audits to fewer than 200. If selected, your organization will likely be subject to a much more intensive process than you may have previously anticipated.
3. The timing has changed, but what’s important to OCR has not.
OCR hasn’t strayed from its intensifying emphasis on risk analysis and risk management. In recent months, representatives from OCR have been clear that it will be squarely focused on how entities have approached conducting periodic, comprehensive risk analyses and how well they have implemented appropriate risk management initiatives to address identified vulnerabilities. There’s no need for organizations to wait and see. OCR has been clear with its priorities.
4. The audits might not start tomorrow, but your risks are alive and well today.
Most importantly, organizations should not to view the delay in OCR audits as a temporary moratorium on HIPAA related risks. A complaint against your organization can trigger an OCR investigation right now. A data breach can set you on the path to very bad outcomes in a millisecond. Those with limited views on compliance and risk management view preparing for an OCR audit as a checklist item. Those who have a healthy understanding of what’s required to safeguard sensitive data know that while being prepared for an audit is good, the real focus should be on effectively protecting sensitive data by having a comprehensive plan for analyzing and managing risk.
Bottom line, Clearwater is advising healthcare organizations to view the delayed audits as a non-event.
Be ready when, and if, you get selected for an audit.
The timing should not dictate the speed or scope of what you are doing to safeguard sensitive data. Risks are all around, and they are more real than ever. Your organization should be taking any and all appropriate steps needed to ensure you are defending your data to the best of your ability. If you do that, you’ll be ready when, and if, you get selected for an audit.
Need help getting your risk analysis and risk management plans in order? Drop us a note, and a seasoned HIPAA compliance and information risk management expert will get right back to you!
Register for one of Clearwater’s complimentary webinars on risk analysis and risk management basics and get to grips with these issues and more.