
HIPAA Audits: What to Expect in 2017
In February 2014 the Office of Civil Rights (OCR) announced its plans for the Phase II mandatory HIPAA compliance audits. But details surrounding the HIPAA audits, including the timeline, were moving targets—until 2016. You may recall the Phase I pilot audits were conducted in 2012.
In March 2016, the OCR launched the Phase II HIPAA Audit Program. The Phase II Audits will target HIPAA Standards that showed the highest incidence of non-compliance in the pilot audits; including areas such as risk analysis and risk management, notice of privacy practices, training and policies, and procedures.
On July 11, 2016, OCR notified 167 covered entities they had been selected for an audit. The majority of those selected were audited via a desk audit, meaning they were audited remotely. Only a small number was selected for a comprehensive onsite audit
Covered entities selected for an audit in 2017 can expect it to be onsite and more comprehensive than the desk audits. If you are one of those selected, respond quickly but carefully.
Here are two important tips if you are selected for an audit:
- Pay close attention to the two-week response deadline. The clock starts ticking on their postmark date, not the date you received the letter.
- Understand the gravity of Phase II Audits. The pilot audits in Phase I were performed remotely by subcontractors with no penalties levied. Phase II Audits will be conducted onsite by OCR staff. This phase will most likely include fines for noncompliance.
However, before you are ever selected, be proactive. Conduct a self-audit and immediately correct any areas of noncompliance. Sign up for the Institute’s HIPAA course to arm yourself with knowledge.
If you’re thinking you’d like an outside review to be on the safe side, or if you are unsure how to conduct a self-audit, enlist the services of a qualified attorney or HIPAA expert.
As Benjamin Franklin said, “Don’t put off until tomorrow what you can do today.” Maintaining compliance readiness is the best strategy.