Recently at the Privacy & Security Forum, senior advisor Linda Sanches discussed what the OCR will be looking for in the upcoming on-site 2017 audits. Although the likelihood that your organization will be selected are slim, (fewer than the 205 desk audits conducted in 2016), the OCR is hoping to identify risks and vulnerabilities not yet uncovered through previous audits or investigations stemming from breaches and complaints. Their efforts to fulfill those hopes are also slim since Sanches admits that, “Two huge problems we’re seeing are implementation of risk analysis and risk management.”
See more about Sanches discussion here.
See OCR’s Final Guidance on a bona fide Risk Analysis here.