According to a recent article in info Risk today
Organizations chosen for remote “desk audits” of their HIPAA compliance, which will begin this summer, need to be prepared to quickly provide supporting documentation, says Deven McGraw, deputy director of health information privacy at Department of Health and Human Services’ Office for Civil Rights.
Those selected for an audit will be required to submit within 10 business days documents that, for example, offer evidence of an enterprisewide security risk assessment as well as processes for providing individuals access to their health information, McGraw explains in an in-depth audio interview with Information Security Media Group (see audio player below photo).
OCR is nearing completion of its process of confirming contact information to create a pool of covered entities that could be chosen for audits, she explains. A sampling of business associates will be audited later.
“We will definitely be selecting the covered entities and begin to audit them first because our current database of business associates is not robust enough,” she says. “And so we will need to rely on covered entities who are selected for audit to provide us with information on their business associates so that we can go through the same process of verifying contact information and forming more robust business associate pools – and pick business associate auditees from there.”
A total of between 200 and 250 organizations – including both covered entities and business associates – will be audited, she says. In addition to remote desk audits, OCR will conduct some more comprehensive onsite HIPAA audits (see HIPAA Audits: Progress Report).
In the interview, McGraw also points to several lessons that organizations can learn from recent OCR resolution agreements and corrective action plans related to settlements after breach investigations.
Frequently, OCR finds healthcare providers conducting security risk assessments “that look only at their electronic health records systems, but not other information-collecting systems in their environments, and not connected devices,” she notes. “These routinely get left out – and not surprisingly … if they’re left out of the risk analysis, they are also left out of the process of how do you manage that risk,” such as through encryption or an alternative safeguard.
“Almost everything flows out of the risk analysis, so if you’re leaving big pieces of your enterprise out of it, chance are you’re going to be non-compliant in all sorts of other ways,” she says.
In the interview, McGraw also discusses:
- Other risk management lessons emerging from recent OCR enforcement activities;
- Upcoming guidance planned by OCR, including instructional material on the requirements related to reporting breaches involving ransomware;
- Other recent breach trends, including hacker and phishing attacks that have been hitting the healthcare sector, and steps organizations can take to avoid falling victim.
For more information on the audit process, click here for an HHS FAQ.
Click here to see an example of the letters that will be sent out to organizations picked for the auditing process.