Phase two of the HIPAA audit program has not yet been unleashed, but big changes are on the way. Once the DHS’ program resumes, there will be more on-site audits – in conjunction of which they will reveal the new auditing technology that will assist in evaluating compliance.
These audits will be evaluated by the DHS’ Office for Civil Rights (OCR). This on-site is a big move from the previous plan for desk audits. The OCR projects 1,200 HIPAA Entities to be screened once the program rolls out – but what does that mean for your workplace?
The first thing your workplace can expect if being considered for an audit, is to receive a pre-screening survey. Covered entities will be the first to receive it, and then business associates will be subject to the audit thereafter.
It should be noted that pre-screening surveys do not guarantee an audit, just that there may be one in the future. While the OCR will still be conducting the off-site desk audits, the on-site desk audits.
The reason for the change from desk audits to on-site audits is to reveal failures in operational procedures. According to HealthCareInfoSecurity.com and Mac McMillan, CEO of security consulting firm CynergisTek. “You can produce documentation, but have poor implementation, and a desk audit won’t necessarily show that. Onsite audits hold someone more accountable.”
2 Factors that Make You Susceptible to a Security Audit
1. Big breach in your practice. This is a sure way to get a security audit.
2. Series of small breaches. Clean things up at your practice, an audit is likely on the way.
For more information on what to expect from security risk assessment, visit: www.HealthIT.gov/security-risk-assessment