This month's compliance Q&A is about the upcoming OCR audits now that covered entities are starting to receive surveys.
What steps should my organization take to get a head start?
One thing is for sure: You don
t want to wait until you get a notification letter from the Office for Civil Rights before you start preparing for a HIPAA audit. OCR plans to audit 200(+) covered entities, including healthcare providers and employer sponsored group health plans to measure their compliance with the HIPAA Privacy Rule, Security Rule, and breach notification requirements. These CE audits will be followed by up to 400 audits of business associates to measure their compliance with the Security Rule and how they intend to approach their obligations under the Privacy and Breach Notification Rules.
One thing organizations should be doing to prepare is reviewing OCR's audit protocol, as well as the HIPAA and HITECH regulations themselves. Then they need to make sure they have guidelines, policies, and procedures in place to support the regulations and assure those documents are revised to stay up-to-date.