You have seen all the hysterical headlines — “The HIPAA audits are coming, the HIPAA audits are coming….” But when you really think about it, what is the big deal? If you are a HIPAA covered entity, you surely know by now what you are supposed to be doing. And you probably have been doing it– so just check around to make sure before you get the dreaded letter from HHS OCR. And if you are a HIPAA business associate, you are probably a bit behind the covered entities, but again, it’s not a secret what you need to do. And it’s good for business to be able to assure you customers that you are able to protect their data and keep them from getting into trouble.
The OCR’s stated process is simple:
- You will receive a letter by email that asks you to fill out a pre-audit questionnaire; this is designed to gather data about the size, type, and operations of your entity, as a potential auditee.
- Fill out the questionnaire.
- Wait to see if your organization is selected for audit.
- In the meantime, check your HIPAA policies, procedures, and business associate agreements to make sure they are up to date. If they haven’t been touched since before the Omnibus regs were issued in 2013, get to work!
- If you are selected for an audit, you will have to produce your policies and procedures.
In the meantime, keep watching the OCR website (and this space) for updates.