With the Office for Civil Rights HIPAA audit program underway, healthcare organizations and their business associates ought to prepare for audits, if they haven't done so already.
Harlow is a guest on this HIT Squad podcast episode, fielding questions about the OCR HIPAA audit program from SearchHealthIT reporters Shaun Sutner and Kristen Lee.
A small percentage of the country's healthcare organizations, and an even smaller group of business associates, will eventually be audited. No one should fear audits, but all should be prepared as part of following business best practices, Harlow says.
In the podcast, Harlow says he does not expect those audited under the HIPAA audit program and found to be out of compliance with HIPAA to be immediately sanctioned. Instead, OCR would further investigate after finding something wrong in an audit.
Harlow also says it is still unknown which or how many business associates could be audited, but that issue ought to become clearer as OCR defines the pool of potential audit subjects with the round of address confirmations it recently launched.
The precise audit protocol, which OCR cited as one of the reasons for the more than yearlong delay in launching the HIPAA audit program, has also not yet been released, Harlow notes.
Harlow says that he takes OCR at its word that this phase of the audit program is not meant to be punitive, but, rather, will assess levels of HIPAA compliance across the country and reveal ways organizations can better safeguard health data privacy and security.
Harlow also says healthcare organizations' obligation to promptly make patients' health data available could be part of audits.
More on HIPAA audit prep
Small practices still unprepared for audits
Some not happy about audits