In a Feb. 24 notice in the Federal Register, the HHS's Office for Civil Rights (OCR) announced its intention to resume its HIPAA Audit Program. By and large, the audit program has been inactive since December 2012, when OCR concluded its pilot audit program.
In the notice, OCR proposes to survey up to 800 HIPAA covered entities (health plans, healthcare clearinghouses and healthcare providers), and 400 business associates. OCR expects to use the survey to gather information including, among other things, recent data about the number of patient visits or insured lives, use of electronic information, revenue and business locations. According to the notice, OCR will then use the information to verify if the entity is a suitable candidate for a HIPAA audit. While all those surveyed are not expected to be audited, OCR is declining to say how many organizations are likely to be actually audited. Accordingly, all covered entities and business associates should be prepared.
One of the primary focuses of the resumed audits is expected to be whether covered entities have conducted timely and thorough security risk assessments as required under HIPAA. According to the OCR, about two thirds of covered entities audited in 2012 failed to conduct appropriate security risk assessments. Security risk assessments have been required under HIPAA since April 2005 and are a core requirement under the Medicare and Medicaid EHR Meaningful Use incentives.
Whether you've done your risk analysis or not (and annually review it, too), HHS has recently developed a tool to help providers comply with this requirement. The Security Risk Assessment toolbox is designed to help small to medium sized health care providers conduct and document a risk assessment. It’s important to note that use of the new tool is not mandated by OCR or under HIPAA - there is no standard template for what a risk assessment should look like, since it's entirely dependent on the specific facts of the specific entity.
