As part of the ongoing HHS OCR HIPAA audit initiative, it is conducting “HIPAA desk audits.” These audits don’t involve auditors coming in your facility. Instead, covered entities are being asked to submit documents on:
(1) their risk analysis and risk management plans under the HIPAA security rule;
(2) the content and timeliness for following the HIPAA breach notification rule; or
(3) the notice of the entity’s privacy practices for health information and patients’ right to access their data.
Business associates also will be required to submit the same security rule information as covered entities. They also must submit their plan for reporting any data breaches to the covered entity.
Once these desk audits are completed, the next step of the HHS OCR audit program, on-site audits, is scheduled to begin early in 2017.