By Greg Freeman
The Office of Civil Rights (OCR) recently resumed audits for HIPAA compliance, meaning some covered entities will be visited for a thorough check that could have serious ramifications. Knowing what to expect can reduce the risk and stress.
Covered entities and business associates that are selected to participate in the audit program should expect that the audit will focus on compliance with the HIPAA Security Rule, including but not limited to risk analysis, information system activity review, security awareness and training, security incident procedures, data backup plans, and disaster recovery plans, says Elizabeth F. Hodge, JD, partner with the Akerman law firm in West Palm Beach, FL. Regulated entities subject to audit also should be prepared to produce documentation demonstrating how they comply with the Security Rule.
“It’s not enough to describe what your organization does. You must show OCR your work,” Hodge says. “Also, while information provided by those being audited won’t result in a HIPAA enforcement action, where an audit reveals serious compliance issues, OCR may open a subsequent compliance review.”
Even if not selected for an audit, there will be lessons from the findings, she says. The final report or reports show how OCR interprets the HIPAA regulations and the agency’s expectations for regulated entities. Additionally, the audit topics and document requests provide insight on what OCR staff consider to be areas requiring heightened focus, she says.
“Document requests show the types and level of documentation that OCR expects regulated entities to create and maintain to demonstrate compliance with the HIPAA regulations,” Hodge says. “Regulated entities can use these data requests as a check on their policies and procedures, including their documentation, to see if there are opportunities to improve.”
Hodge notes that the HIPAA audit letters were sent in late December 2024, while the Biden administration was still in office. With no confirmed OCR director and Health and Human Services being reorganized, it remains to be seen how OCR will enforce the HIPAA regulations going forward, Hodge says.
“This doesn’t mean that regulated entities don’t need to comply with HIPAA since state attorneys general may enforce the HIPAA regulations,” Hodge says. “Also, we continue to see class actions based on breaches of unsecured protected health information.”
Source
- Elizabeth F. Hodge, JD, Partner, Akerman, West Palm Beach, FL. Telephone: (561) 273-5503. Email: [email protected].
Greg Freeman has worked with Relias Media and its predecessor companies since 1989, moving from assistant staff writer to executive editor before becoming a freelance writer. He has been the editor of Healthcare Risk Management since 1992 and provides research and content for other Relias Media products. In addition to his work with Relias Media, Greg provides other freelance writing services and is the author of seven narrative nonfiction books on wartime experiences and other historical events.
The Office of Civil Rights recently resumed audits for HIPAA compliance, meaning some covered entities will be visited for a thorough check that could have serious ramifications. Knowing what to expect can reduce the risk and stress.
You have reached your article limit for the month. Subscribe now to access this article plus other member-only content.
- Award-winning Medical Content
- Latest Advances & Development in Medicine
- Unbiased Content