This entry is part 21 of 27 in the series HIPAA Audit Tips

Recent data released by the US Department of Health and Human Services Office for Civil Rights (OCR) show that providers account for more than two-thirds of all HIPAA Audit Findings and Observations in seven of the eight categories reviewed, and more than half in the category. Health plans don’t perform well either, accounting for between 25% and 38% of reported findings and observations.  Here’s today’s big tip – Go to school on 2012 OCR Audits!

HIPAA Audit Tips – Providers and Health Plans Perform Poorly in HIPAA Audits

Simultaneously, and following on the heels of the promulgation of the Omnibus Final Rule (OFR) in February, OCR and the Centers for Medicare and Medicaid Services (CMS) have announced significant expansions of the HIPAA Audit program and stepped-up reviews of Meaningful Use Attesters prior to payment of incentive fees that can be earned under the Meaningful Use regulations.

“Whether or not the increase in oversight is a result of the poor performance of providers and health plans is irrelevant,” Clearwater Compliance, CEO Bob Chaput observed. “The reality is that organizations handling HIPAA data are going to be increasingly exposed to significant financial penalties and loss of revenue if they don’t have their act together. And time is running out to do that. The provisions of the OFR must be incorporated into these organizations’ programs by September.”

Read our recent Press Release Providers and Health Plans Perform Poorly in HIPAA Audits-HHS to Expand Pool of Audited Organizations; CMS Also Targets Meaningful Use Attesters

Download the presentation Lessons Learned from OCR Privacy and Security Audits delivered by OCR officials Linda Sanches, MPH and Verne Rinker, JD MPH.

Proven HIPAA Audit Tips – Other Actions You Should Take Now to Prepare for OCR HIPAA Audits

We recommend that organizations who have not already done so complete some fundamental preparation activities which include, but are not limited to:

  1. Establish a formal Privacy and Security Risk Management & Governance Program. (45 CFR § 164.308(a)(1))
  2. Complete a HIPAA Security Evaluation. (45 CFR § 164.308(a)(8))
  3. Complete a Privacy Rule compliance assessment. (45 CFR §164.530)
  4. Complete a Breach Rule compliance assessment. (45 CFR §164.400)
  5. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
  6. Develop comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures. (45 CFR §164.530, 45 CFR §164.316 and 45 CFR §164.414 )
  7. Document and act upon a corrective action plan.

Join the 350+ companies (both covered entities and business associates) that work with Clearwater Compliance. We can help your organization jump-start your HIPAA Compliance program.


Wanna be even more ready for an audit or hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please consider (all optional!):

Series Navigation<< HIPAA Audit Tips – HIPAA New Year 2013 ResolutionsHIPAA Audit Tips – HHS Budget for Audits Increased >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.