The Second Phase of HIPAA Audits Have Begun

Make sure you are prepared!

HIPAA Risk AssessmentSince the HIPAA Privacy Rule was issued in 2003, it has been required to complete a HIPAA Risk Assessment, but the reality is, very few healthcare organizations have done so. Those who have not completed this requirement may have managed to avoid substantial penalties, however, The Office of Civil Rights is now turning the heat up on enforcement and aggressively pursuing HIPAA violations.

According to the Pennsylvania Medical Society, “The Health and Human Services Office for Civil Rights (OCR) has begun the second phase of its HIPAA Audit Program. OCR will review the policies and procedures adopted and employed by covered entities and their business associates to ensure that they meet the standards and specifications of the Privacy, Security, and Breach Notification Rules. As part of the audit, it will complete a Security Risk Assessment, looking at things like exposed and unencrypted servers, laptops, etc., default and/or unchanged passwords, outdated security software, and inadequate staff training. Most of the audits will be desk audits, although there will be onsite audits if necessary.”

There is word that some practices have gotten pre-screening questionnaires via email. Questions include things such as size and type of practice, operational practices, as well as financial questions. The questionnaire also will ask entities to identify their business associates. Based on your answers, additional questions may appear.

Are you Prepared?