Recent data released by the US Department of Health and Human Services Office for Civil Rights (OCR) show that providers account for more than two-thirds of all HIPAA Audit Findings and Observations in seven of the eight categories reviewed, and more than half in the category. Health plans don’t perform well either, accounting for between 25% and 38% of reported findings and observations. Here’s today’s big tip – Go to school on 2012 OCR Audits!
HIPAA Audit Tips – Providers and Health Plans Perform Poorly in HIPAA Audits
Simultaneously, and following on the heels of the promulgation of the Omnibus Final Rule (OFR) in February, OCR and the Centers for Medicare and Medicaid Services (CMS) have announced significant expansions of the HIPAA Audit program and stepped-up reviews of Meaningful Use Attesters prior to payment of incentive fees that can be earned under the Meaningful Use regulations.
“Whether or not the increase in oversight is a result of the poor performance of providers and health plans is irrelevant,” Clearwater Compliance, CEO Bob Chaput observed. “The reality is that organizations handling HIPAA data are going to be increasingly exposed to significant financial penalties and loss of revenue if they don’t have their act together. And time is running out to do that. The provisions of the OFR must be incorporated into these organizations’ programs by September.”
Download the presentation Lessons Learned from OCR Privacy and Security Audits delivered by OCR officials Linda Sanches, MPH and Verne Rinker, JD MPH.
Proven HIPAA Audit Tips – Other Actions You Should Take Now to Prepare for OCR HIPAA Audits
We recommend that organizations who have not already done so complete some fundamental preparation activities which include, but are not limited to:
- Establish a formal Privacy and Security Risk Management & Governance Program. (45 CFR § 164.308(a)(1))
- Complete a HIPAA Security Evaluation. (45 CFR § 164.308(a)(8))
- Complete a Privacy Rule compliance assessment. (45 CFR §164.530)
- Complete a Breach Rule compliance assessment. (45 CFR §164.400)
- Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
- Develop comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures. (45 CFR §164.530, 45 CFR §164.316 and 45 CFR §164.414 )
- Document and act upon a corrective action plan.
Join the 350+ companies (both covered entities and business associates) that work with Clearwater Compliance. We can help your organization jump-start your HIPAA Compliance program.
Wanna be even more ready for an audit or hip on HIPAA? Learn more…
The complete HIPAA Privacy, Security and Breach regulations are here.
If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please consider (all optional!):
- Joining our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
- Following me: https://twitter.com/ClearwaterHIPAA
- Subscribing to our eNewsletter
- Attending a HIPAA HITECH live webinar: http://clearwatercompliance.com/live-educational-webinars/
- Attending a HIPAA HITECH Blue Ribbon Panel Live Web Event: http://clearwatercompliance.com/hipaa-hitech-blue-ribbon-panel/
- Viewing a pre-recorded webinar: http://clearwatercompliance.com/on-demand-webinars/
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016