The Health & Human Services’ Office for Civil Rights (OCR) is now gearing up for the second round of HIPAA compliance audits this year. Covered healthcare entities and their business associates (BAs) are advised that the audits are expected to focus on HIPAA security and privacy risk management, breach notification and Notice of Privacy issues. It is also expected that any violations uncovered during the audit will lead to severe financial penalties.

Every organization and individual covered by HIPAA must demonstrate full compliance with the statute and corresponding regulations. Entities subject to an audit should prepare by undertaking several actions in preparation, including:

  • Conduct a full security and risk analysis, including a review of device encryption, media controls, data transmission safeguards and staff training on HIPAA policies and procedures.
  • Review HIPAA policy and procedure manuals to ensure that everything is in compliance with current OCR standards. Update as necessary and retrain staff on any changes in procedure.
  • Identify BAs. Update your list of BAs and have them provide an updated Business Associate Agreement and list of any subcontractors.

The audits are not yet officially calendared, but are expected to begin approximately 90 days after the posting of the phase two protocols on the OCR website. While the clock is not yet ticking, covered entities should use this grace period to undertake the tasks mentioned above.