The HHS Office of Civil Rights (OCR) is launching a pilot program to audit providers for compliance in privacy and security. Auditors will visit covered entities, and will examine processes and operations. Audits conducted in this pilot phase will begin this month and will wrap up in December, 2012. Lessons learned from the first 20 or so audits will be analyzed, then approximately 130 more will be launched. Data from the whole 150 audits will be used to guide compliance audits in the future.
OCR is responsible for selection of the entities that will be audited. OCR will audit as wide a range of types and sizes of covered entities as possible. This includes covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses. Every covered entity and business associate is eligible for an audit.
Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of their privacy and security compliance efforts. In this pilot phase, every audit will include a site visit and result in an audit report. During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance. According to an OCR press release dated November 8, “ We expect covered entities to provide the auditors their full cooperation and support and remind them of their cooperation obligations under the HIPAA Enforcement Rule.”
Following the site visit, auditors will develop and share with the entity a draft report, which will generally describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings. The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best practices discovered at the entity.
OCR expects to notify selected covered entities between one and three months prior to the. Onsite visits may take between 3 and 10 business days, depending upon the complexity of the organization and the auditor’s need to access materials and staff. After the fieldwork is completed, the auditor will provide the covered entity with a draft final report. The covered entity will have 10 business days to review it, and will be invited to provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. Although the audit results will be “broadly shared”, OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity.
For more information click here
Home |