­

HIPAA Compliance Audit Program

It is not a well-known fact that one of the provisions of HITECH Act requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules, as well as with HIPAA Breach Notification standards. To implement this mandate, OCR ran a pilot program from November 2011 to December 2012. The results of this pilot were used to evaluate and verify the program’s effectiveness and further improve the audit program design and entity selection process.

The main purpose behind this program was to identify best practices as well as discover other risks and vulnerabilities that have not been previously addressed through the official complaint process. OCR has made this information available to the public. Only 11 % of Covered Entities were in full compliance.

The most issues were discovered with the smallest providers experiencing the greatest number of violations. The cause for the majority of the violations was that the entity was unaware of the requirements. This falls under the ‘did not know’ tier of penalties. Additionally, other causes leading to a violation were:

  • Lack of application of policies and procedures,
  • Incomplete implementation or required components, and
  • Complete disregard of the HIPAA regulations.

Phase II of HIPAA Compliance Audit Program

Due to less than satisfactory results revealed on the part of small providers, the program was expanded into Phase II. While there is no set start date that has been announced at this time, the second phase of audits is scheduled to begin in the fall of 2015 and continue into 2016.

Phase II will likely result in compliance reviews among providers nationwide. According to the OCR report, the audits will focus on covered entities and compliance in the following areas:

  • Security risk analysis and management
  • Breach notifications
  • Notice of privacy practices issues

In 2015 -2016 covered entities will be audited on device and media controls, transmission security, privacy safeguards, and compliance with workforce training requirements.

2016 is projected to be the year when audits will focus on encryption and decryption, facility access controls, and other areas of high risk that were identified during the previous phase.

Please visit our blog to read the latest news about Phase II of HIPAA Compliance Audit Program.

All-in-One HIPAA Compliance
and Risk Management Solution

VIEW MEMBERSHIP BENEFITS & PRICING

Why HIPAA Compliance Training is Important

October 21st, 2015|Categories: HIPAA Training|

Why HIPAA Compliance Training is Important HIPAA Compliance is an ongoing process and one of the most important aspects of it is making sure that your staff members participate in compliance training and awareness [...]

Comments Off on Why HIPAA Compliance Training is Important

HIPAA Rules: Back to the Basics

October 7th, 2015|Categories: HIPAA Privacy|

HIPAA Rules: Back to the Basics The Health Insurance Portability and Accountability Act (HIPAA) is a complex piece of legislation that has undergone many additions and revisions since it was signed into law in [...]

Comments Off on HIPAA Rules: Back to the Basics

HIPAA Privacy Rule: Reviewing the Fundamentals

October 7th, 2015|Categories: HIPAA Compliance Requirements, HIPAA Privacy, Notice of Privacy Practices|

HIPPA Privacy Rule: Reviewing the Fundamentals Almost 20 years ago, the Health Insurance Portability and Accountability Act was signed into law to provide for the continuity of individuals’ health insurance coverage and to increase [...]

Comments Off on HIPAA Privacy Rule: Reviewing the Fundamentals