OCR Announces New HIPAA Audit Selection Criteria
Sept. 6, 2011
The Office for Civil Rights (OCR) announced in June a plan to conduct up to 150 privacy and security audits by Dec. 31, 2012. The audits are required by HIPAA as amended in February 2009 by the HITECH Act.1 Whereas past HIPAA compliance audits have focused on organizations that have experienced breaches, these audits will determine which organizations will be audited according to a more systematic and objective selection model that will be based on risk factors.
OCR has engaged KMPG to conduct the audits, which will be traditional onsite investigations that include interviews with leadership, examination of physical features and operations, and observation of compliance. HealthLeaders Media reported that the audits will address:
- Incident detection and response
- Review of log access
- Secure wireless network
- Management of user access and passwords
- Theft or loss of mobile devices
- Up-to-date software
- Role-based access – lack of information access management2
OCR’s announcement raises the question of whether organizations are ready.
HIPAA compliance is much more than tendering HIPAA notices to patients. To be prepared for an audit, organizations must perform a comprehensive assessment to identify gaps in their HIPAA/HITECH privacy and security compliance programs. They are also required to have a corrective action plan in place to remediate any problems.
HIPAA has been around for 15 years, but organizations that have not been breached have tended to take a relaxed approach to compliance up to now. OCR’s recent announcements have put organizations on notice to be prepared for a compliance audit.
For more information, please contact Raj Chaudhary at 312.899.7008 or email@example.com.
1 In February 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act amended the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
2 Dom Nicastro, "OCR's HIPAA audit hot-button topics revealed," HCPro HIPAA Update, Aug. 12, 2011;