Corporate Compliance

OCR privacy, security audits to include BAs

Compliance Monitor, November 16, 2011

The OCR revealed its plans for HITECH-required HIPAA privacy and security audits on its website November 8.

OCR said on its website that is expects the initial round of audits to begin this month. It also announced that business associates (BAs) will be subject to audits for the first time, but said that this would occur in the future... OCR will audit “as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and healthcare clearinghouses may all be considered for an audit,” according to the OCR website.“We expect covered entities to provide the auditors their full cooperation and support and remind them of their cooperation obligations under the HIPAA Enforcement Rule,”

The agency said it expects a typical audit to last approximately 30 days, from notification letter to initial report. It plans to provide entities notice 30 to 90 days before onsite visits.

OCR said the pilot phase of audits would include site visits and audit reports. During site visits, auditors will interview personnel and observe processes and operations to assess compliance.

Read this post and more on the HIPAA Update blog.

Most Popular