This entry is part 22 of 27 in the series HIPAA Audit Tips

I don’t know if you had a chance to listen to Kathleen Sebelius announce on a brief video, the HHS 2014 budget a few days ago, or read the “Highlights of the 2014 HHS Budget”.  The video announcement did not cite the reason for the $1MM, or 2.4%  increase in OCR’s  budget over 2013.  You might want to know!  Here’s today’s big tip – Learn How the Extra $1MM Will be Used!

HIPAA Audit Tips – HHS Budget for Audits Increased

The 131 pages of the Fiscal Year 2014 HHS Budget in Brief had this to say about the increase in the OCR budget: “The increase will support enforcement of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule…The Budget maintains this current programmatic focus and also supports an initiative of enhanced enforcement of the HIPAA Security Rule.”

We know that almost every resolution agreement and/or corrective action plan (CAP) in published HIPAA violation settlements have included the Security Rule requirement to conduct a RISK ANALYSIS.  In fact, Leon Rodriquez has been quoted as saying that Risk Analysis may be a focus of the 2013 OCR HIPAA Audits.

And don’t think that an audit is the only way that OCR finds out about Security weaknesses. OCR received and resolved more than 9,500 complaints of alleged HIPAA violations in 2012.  And, of course, all the clients with whom we’ve worked following a Breach Notification have been asked to submit evidence of a HIPAA Risk Assessment.

And if reviewing breaches involving greater than 500 records on the HHS Wall of Shame weren’t enough to keep OCR investigators busy, remember Hospice of North Idaho which reported a breach of 441 records in their required annual report to the Secretary? Earning them an investigation and settlement: $50,000 penalty and CAP.

So maybe an extra $1MM won’t buy much additional OCR enforcement… but how about $2.5MM? “OCR received almost $4.0 million in settlements in FY 2012 and anticipates $5.5 million in FY 2013. OCR uses funding received through civil monetary penalties and settlements to support HIPAA enforcement activities.

Open up your wallet and get your HIPAA Security Management process in place!

Proven HIPAA Audit Tips – Other Actions You Should Take Now to Prepare for OCR HIPAA Audits

We recommend that organizations who have not already done so complete some fundamental preparation activities which include, but are not limited to:

  1. Establish a formal Privacy and Security Risk Management & Governance Program. (45 CFR § 164.308(a)(1))
  2. Complete a HIPAA Security Evaluation. (45 CFR § 164.308(a)(8))
  3. Complete a Privacy Rule compliance assessment. (45 CFR §164.530)
  4. Complete a Breach Rule compliance assessment. (45 CFR §164.400)
  5. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
  6. Develop comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures. (45 CFR §164.530, 45 CFR §164.316 and 45 CFR §164.414 )
  7. Document and act upon a corrective action plan.

Join the 350+ companies (both covered entities and business associates) that work with Clearwater Compliance. We can help your organization jump-start your HIPAA Compliance program.

Wanna be even more ready for an audit or hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please consider (all optional!):

Series Navigation<< HIPAA Audit Tips – Providers and Health Plans Perform Poorly in HIPAA AuditsHIPAA Audit Tips – Prepare for Audits Using Omnibus Final Rule >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.