Health IT and Electronic Health Activate your FREE membership today |  Log-in

Health IT Pulse

Nov 10 2011   12:46PM GMT

OCR to begin random audits for HIPAA compliance

Posted by: AnneSteciw
HIPAA audits, HIPAA Privacy Rule, HIPAA violations, Office for Civil Rights

Until recently, a health care organization’s HIPAA compliance was put to the test only when a patient specifically filed a complaint with the U.S. Department of Health and Human Services Office of Civil Rights (OCR). ┬áBut the HITECH Act has effected some changes in HIPAA compliance. The biggest change is the toughening up of data breach notification laws. Another big change is that HHS is required to conduct periodic audits of providers and business associates to ensure the organizations are HIPAA compliant.

OCR contracted with KPMG, LLP to develop the protocol for these HIPAA audits and to conduct 150 of them by December 31, 2012. Well, the hour is nigh: The first 20 audits — part of a pilot audit program to test the audit protocols — are slated to begin this month. OCR will select the entities to be audited, choosing a wide range of organization types and sizes.

Health care law expert David Harlow wonders if the HIPAA audits really matter, pointing out that the requirement for providers to publicly report data breaches affecting over 500 or more individuals has not, it seems, motivated a change in behavior.

And OCR is not exactly baring its teeth with these audits. According to the information posted about the HIPAA audit program on the HHS website, “Audits are primarily a compliance improvement activity. OCR will review the final reports, including the findings and actions taken by the audited entity to address findings.”

But the penalties can indeed be stiff for not meeting HIPAA compliance — especially if the organization fails to comply with an OCR investigation.

Penalties and audits aside, covered entities and business associates should be complying with HIPAA privacy and security rules simply as a matter of good business. After all, it’s the patient who could potentially suffer the most.

Comment on this Post

Leave a comment:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: