What to Expect When OCR Knocks on Your Door for a HIPAA Audit
You get the OCR audit notification letter and the panic begins. You are one of the ‘unlucky’ providers or health plans to be audited as part of the OCR’s HIPAA HITECH audit program; what do you do first?
During & After the Audit
On the OCR website, it details each step of the new HITECH audit program, including a timeline of events. Below are five critical steps:
- Required documentation of your privacy and security compliance efforts (see below for more information)
- Interviews with key personnel on site, and observe processes and operations to help determine compliance
- Following the site visit, auditors will develop and share with the entity a draft report
- Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified
- The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity
Documentation Must Include Policies, Procedures & Training
In accordance with HIPAA regulations, all Covered Entities and Business Associates must institute and document its policies, procedures, and practices—which includes initial and refresher staff training—to improve the privacy and security of protected health information (PHI).
Your training must address privacy and security regulations:
- Privacy training must include all elements of the federal, state and organization privacy regulations
- Security training should cover topics such as, the use of virus protection software to prevent or lessen the threat of malicious software; login and password management; and how to respond to security incidents
- The training should also include your organizational security policies and procedures