The Department of Health and Human Services Office of Civil Rights (OCR) announced it has begun the next phase of HIPAA audits of covered entities (CEs) and their business associates (BAs).
The HIPAA audit program is an element of OCR's health information privacy, security and breach notification compliance activities. It is used to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations.
During phase 2, every CE and BA is eligible for a desk and/or onsite audit. This includes covered individual and organizational providers of health services; health plans of all sizes and functions; healthcare clearinghouses; and a range of BAs of these entities.
OCR will review policies and procedures adopted and employed by CEs and their BAs designed to meet selected standards and implementation specifications of the Health Insurance Portability and Accountability Act's Privacy, Security and Breach Notification rules.
OCR notes that audits are primarily a compliance improvement activity. It is intended to provide a better understanding of compliance efforts with particular aspects of the HIPAA rules and the development of tools and guidance to assist organizations in compliance self-evaluation and preventing breaches.
However, if a serious compliance issue is identified during an audit, OCR noted that it may initiate a compliance review to further investigate, which could lead to civil monetary penalties.
If you have questions about maintaining HIPAA compliance in your organization, contact PriorityOne Group today to learn how you can qualify for a complimentary IT Assessment.