HHS Office of Civil Rights (OCR) will be conducting on-site HIPAA audits in 2017, though a hospital's chances of being selected will be “very, very low,” senior advisor Linda Sanches said at a recent privacy and security forum hosted by HIMSS and Healthcare IT News, the publication reported.
OCR began rolling out phase 2 of its HIPAA audit program in March, and there are currently more than 200 desk audits ongoing, according to Healthcare IT News.
- The hospital selection process for on-site audits will be similar to the one used for desk audits, notified via email, and an on-site visit will take place over three to five days, according to HHS.
Audits are intended to help OCR identify risks and vulnerabilities that wouldn’t be apparent otherwise, Healthcare IT News quoted Sanches. While the prospect of an audit, particularly one that occurs on-site, can be daunting, it is important for providers to remember that audits are not primarily about enforcement, Peter Blenkinsop, a Drinker Biddle & Reath attorney, told Medical Economics in March.
If an hospitals is selected for an on-site audit it should conduct a meeting with staff who will interact with auditors to go over relevant policies and procedures, Blenkinsop said. Risk analysis and risk management are two areas where OCR is seeing the most noncompliance and these are two areas that hospitals should focus on.
OCR was driven to beef up its audit program after the HHS Office of Inspector General issued a report last year that said the office should strengthen oversight when it comes to compliance. OCR had previously tended to investigate noncompliance only in response to complaints. The audit program looks for noncompliance more proactively.