The Security Scrutinizer with Howard Anderson

Ready or Not, Here Come HIPAA Audits

Yet Another Incentive to Work on Compliance

The threat of an audit could prove to be a powerful incentive for hospitals, clinics, health insurers and others to take adequate precautions to safeguard patient information. And if some of the organizations that are audited wind up facing penalties for non-compliance, that would be a powerful wake-up call, indeed.

Susan McAndrew, deputy director for health information privacy at the Department of Health and Human Services' Office for Civil Rights, revealed some audit program details in an interview this week (see: McAndrew Explains HIPAA Audits). She noted the program, which could result in as many as 150 on-site audits, won't start until late this year or early 2012, after about 20 test audits are completed.

What would a HIPAA compliance audit at your organization reveal? It's time to start thinking about that. 

So how will officials select audit candidates? Well, McAndrew didn't spell out the details, other than to say that her office would try to select a wide variety of organizations based on type, size and location. And initially, at least, covered entities, and not business associates, will be the focus. She said the process of selecting audit candidates "will not be totally random ... but this [audit program] will not be incident-driven, unlike the current investigations and compliance reviews that we do."

Considering the thousands of covered entities that must comply with HIPAA, the odds of getting audited are relatively remote. But the threat of an audit offers yet another reason to make sure your organization follows the guidelines in the HIPAA privacy and security rules.

OCR hasn't yet figured out how it will publicize the results of the audits. We're hoping it produces detailed reports on the aggregated findings and offers suggestions for HIPAA compliance best practices, based on what it learns from the audits.

So what can your organization do to prepare for an audit? McAndrew advises organizations to take several steps, including reviewing privacy and security policies and procedures, documenting patient information safeguards, updating risk assessments, developing a breach incident response plan and checking emergency backup systems.

What would a HIPAA compliance audit at your organization reveal? It's time to start thinking about that.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.