The Office for Civil Rights says that it makes sense to audit healthcare organizations of all shapes and sizes. After all, one goal of the audit program is to spur across-the-board compliance with the Health Insurance Portability and Accountability Act's privacy, security, and breach notification rules. And the best way to do that is to scrutinize a variety of players.
Virtually any organization that's audited is going to have some HIPAA compliance issues that it has yet to resolve. So OCR urges covered entities to document in advance of an audit the areas where they need to work on compliance, and the steps they plan to take.
We'll have to wait and see how the audits play out. But the new head of the Office for Civil Rights stresses that a key goal of working with covered entities on audits is to "find out where there are opportunities for improvement and help them improve."
Keep in mind, however, that OCR also acknowledges that audits that uncover significant vulnerabilities could result in significant corrective action and even civil monetary penalties.
What is the bottom line? It's time to review your HIPAA compliance policies, procedures, and training. And by all means, make sure you've documented your strategy so you have something to show the auditors.
The Office for Civil Rights should offer detailed summaries of its audit findings periodically this year, pinpointing vulnerabilities discovered and suggesting ways to address them. That way, the audit program can be a learning experience for everyone.
OCR says it's too bad that they didn't launch a HIPAA compliance audit program a long time ago. Who knows how many health information breaches and privacy violations could have been avoided if more organizations took compliance more seriously?
In addition to the audit program, the Office for Civil Rights, under the direction of its new leader an experienced prosecutor will take additional aggressive enforcement steps, imposing more sanctions against organizations guilty of the most egregious HIPAA violations. That would be another powerful compliance catalyst.