- Once the OCR representative completes an onsite audit, they will analyze the findings and results to determine the next step to take.
- Results of prior HHS audits (and their penalties), including recent actions involving multi-million dollar fines and settlements
- When complaints are filed by patients or other entities concerning potential HIPAA violations, OCR can investigate and levy fines and penalties, stipulate a corrective action plan, and even recommend criminal charges. As of the end of January 2017, OCR has collected over $58million in HIPAA violation settlements, and levied fines have steadily increased over the past few years.
- Criteria for Selection of Auditees
- OCR is identifying pools of covered entities and business associates that represent a wide range of health care providers, health plans, health care clearinghouses and business associates. By looking at a broad spectrum of audit candidates, OCR can better assess HIPAA compliance across the industry – factoring in size, types and operations of potential auditees.
- Audit Selection Process
- Once entity contact information is obtained, a questionnaire designed to gather data about the size, type, and operations of potential auditees will be sent to covered entities and business associates.
- Framework of security policies necessary for compliance
- A thorough HIPAA security risk analysis, risk management are the critical components of HIPAA compliance
- Steps to Take to Prepare for an OCR Audit
- All covered entities and business associates should be prepared for an audit by HHS. Covered entities and business associates should review their privacy, security and breach notification policies and practices.
- Best practices that you, the CE, should do to help with passing your audit
- Document data management, security, training and notification plans.Use a password policy for access.
- Documentation requirements for compliance audit
- After preparing employees for the HIPAA compliance audit, the next step is having all that information ready and on hand. You should be able to present documentation on your corporation's current security policies, future security plans, risk assessments, data handling, disaster recovery and DLP technology.
- Contents of the HIPAA audit protocol used in 2016
- Office of Civil Right (OCR) published an audit protocol to provide clarity on the HIPAA standards that auditors may assess during an audit. OCR first made its HIPAA audit protocol available in 2012 in connection with its pilot audit program.
- Will OCR Issue Fines for Non-Compliance if HIPAA Violations are Discovered?
- There are two aspects of HIPAA Rules that continue to cause problems for covered entities: Risk analyses and risk management. These two aspects of HIPAA are fundamental elements of the HIPAA Security Rule.