Data-Struction would like to let our customers know that the Office for Civil Rights (OCR) at the Department of Health and Human Services will begin conducting compliance audits of HIPAA-covered entities and business associates soon, reports
The OCR had lurched forward with a pilot audit program in 2011, but pulled back when the Office of the Inspector General (OIG) criticized the methodology. OCR settled for relying primarily on self-reports of breaches from covered entities (as required by the Breach Notification Rule) as a basis for enforcement actions.
Now that is changing. Section 13411 the HITECH Act directs OCR to conduct periodic audits to ensure that covered entities and business associates comply with the agency’s Security Rule, which spells out safeguards for electronic protected health information.
According to news reports, HHS has chosen a vendor for the next phase of the audit program and is verifying contact information for business associates and covered entities to be included under the program. OCR noted that the first audits will mostly consist of desk audits, under which it will ask entities to send in policies and procedures for review, but there will be some in-person audits as well.