The OCR is reviewing the results of the 2012 pilot audits. They have published the Audit Program Protocol so you know what to expect when they come for you.
In Director Rodriguez’s interview with HealthcareInfoSecurity, he made some important points to note concerning the audits.
- Audits will begin in late 2013 or certainly by 2014
- Expect more and larger monetary penalties for HIPAA non-compliance
- They can see there is plenty of non-compliance out there
- Next wave of audits will likely focus on problem areas found in recent audits and breach investigations
- Business Associates and Subcontractors will be included in the audit program.
We have already seen the initial results. Compliance problems are definitely out there to find. Most of them involve the Security Rule and Small Providers are most likely to have the problems.
Here is how an audit plays out:
- You get a letter from the OCR telling you that you have been selected for an audit.
- The letter includes an attached list of documentation you should provide to your auditors within 10 calendar days.
- The audit will begin within 30 to 90 calendar days.
- Auditors show up on your scheduled date and meet with your staff to review all the documentation and to see how your office follows your compliance obligations. They will be there 3 – 10 days.
- They write a report of their findings and pass it back for review.
- If an audit report indicates a serious compliance issue, OCR may initiate a formal compliance review.
Yep, number 2 and number 6 should raise the blood pressure a bit. It does mine every time I think about it.
I definitely want to be able to produce that list of information in 10 days without tearing my business apart.
I also definitely DO NOT want number 6 to happen! That is where they figure out what fines you need to be handing over.
Here’s an idea – just for fun. Try to figure out how you could get all that information together in 10 days or less.
Then, for bonus points, review the audit protocol and be prepared to answer all the lines that tell the auditor to “Inquire of management as to…“.
Documentation is key. Knowing you can get that documentation together quickly is also key. You don’t want to get one of those letters and have no idea how to even start putting together your response.
Filed under: HIPAA Tagged: Audit, Business Associates, Compliance, Enforcement, HIPAA, HITECH, information hipaa, Privacy Rule, Risk Analysis, Security Rule, Small Provider, Subcontractor