Mock HIPAA Audits: Preparing for an OCR Inspection
The clock may soon run out for organizations that have yet to comply with proper HIPAA procedures as the Office for Civil Rights (OCR) sets its sights on a 2015 start date for audits of an organization’s compliance with privacy, security and breach notification requirements.
Even as it announced changes, the OCR made it quite clear: once an inquiry begins, it’s too late to implement HIPAA compliance.
As noted in a previous post, the OCR originally planned to audit up to 1,200 organizations beginning earlier in 2014. The agency has since changed the start date to 2015 and reduced the number of organizations it expects to audit to 400. Organizations that have experienced a breach in the past are likely candidates for an audit.
HIPAA compliance managers are encouraged to use this extra time to prepare, as an ineffective audit defense will more than likely, result in significant penalties and fines.
The OCR will also examine Meaningful Use goals validation as it relates to security risk analysis. Attestation for Meaningful Use requires a statement that verifies an annual review and update of all security risk analyses have been completed. Should deficiencies be found during the MU audit, which are in fact already underway, an organization faces the potential loss of incentive dollars.
Under these circumstances, it is in an organization’s best interest to prepare for a potential inspection by conducting a mock audit.
There are several approaches to conducting a mock audit. Just Associates’ best practices involve a hands-on counseling approach aimed at identifying areas of weakness and directing an organization towards full compliance.
- Introduction and Interviews: Just Associates begins the mock audit process by interviewing key personnel regarding breach notifications and business associate agreements. Consultants use the OCR’s Audit Program Protocol as the primary reference for preparing an organization for an OCR inquiry. Note: The OCR is planning to update the audit protocol in the coming months. Organizations can expect to see changes to privacy and breach requirements, while security protocols are predicted to stay the same.
- Policy vs. Practice: To begin locating potential holes in the system, consultants must examine an organization’s policies as they relate to their HIPAA practices. This includes a comprehensive review of documentation to look for any inconsistencies as well as a thorough on-site validation of policy implementation. The only thing worse than not having a HIPAA policy, is having a one that hasn’t been implemented or that isn’t being followed.
- Recommendations: Upon completion of the mock audit, Just Associates provides a detailed report with recommendations for improvement. During this process, consultants will provide counseling and provide guidance so facilities’ staff can properly reconcile deficiencies.
Mock audits can dramatically improve organizations’ ability to pass an OCR inspection. In order to ensure an organization gets the most out of a mock audit, the entire staff must develop a policy of complete transparency. Hiding potentially damaging information fails to make effective use of a mock audit and places an organization at greater risk of failing an actual OCR inspection. Visit the Just Associates website for a detailed description of HIPAA Privacy Consulting.