More on Compliance & Legal

Be prepared for HIPAA audits

The burden of proof lies with healthcare organizations

Tom Sullivan, Editor-in-Chief, Healthcare IT News

Even if you’re in compliance it pays to be ready.

With the Office for Civil Rights gearing up to begin auditing providers from large to small across the country, the best thing providers can do to prepare is to actually be in compliance and to conduct comprehensive risk analysis, Linda Sanches, OCR’s senior advisor for health information privacy.

While that advice may seem obvious, OCR’s auditing process is something of a mystery to healthcare providers. Sanches offered a glimpse into the agency’s auditing mindset at the HIMSS Media and Healthcare IT News Security and Privacy Forum held in Boston, Mass. in mid-September.

Who to audit or investigate, how much to fine

When deciding whether or not to audit a provider or investigate a reported breach, OCR looks for patterns. So if the office receives information about a given provider having several similar breaches and it appears they are not doing anything about them, that manner of evidence suggesting the provider is not in compliance or does not have proper procedures set up would weigh heavily into OCR’s decision.

“The onus is on you to prove you had the proper systems in place,” Sanches said. “If you did a comprehensive risk analysis and took the necessary steps, that’s what you need to show us.”

Organizations that fail to do so are ripe not only for investigations but also settlement fines, which range from, say $215,000 on the low end right up into the millions of dollars.

The factors determining fine size are listed in OCR regulations, but include how much harm was done and how many provisions were violated, Sanches said.

“The sky is not the limit,” Sanches said of fine totals. “It’s basic math. How many people were affected?”

When will the audits start?

While Sanches didn’t offer an audit start date, she did tell her audience that the number audits the agency planned on has dropped. OCR originally planned to conduct 400 desk audits and a large number of on-site audits. Now it is looking at fewer than 200 desk audits, she said. She didn't confirm a specific number of on-site audits for covered entities, but another wave of Business Associate audits will follow those.

HIMSS Media vice president of content Gus Venditto contributed to this report. This article is based on a report appearing on Government Health IT.

Show All Comments