Corporate Compliance

Tip: Prepare proactively for OCR HIPAA audits

Compliance Monitor, November 30, 2011

Briefings on HIPAA has obtained a copy of the $9.2 million contract with KPMG, LLP, the company OCR hired to conduct HIPAA compliance audits; it reveals some details about what healthcare organizations can expect when the audits begin.

KPMG, based in McLean, VA, will conduct 150 audits by December 31, 2012. The contract calls for completion of an average of at least 10 audits per month to ensure completion of all reviews by this deadline.

Bob Chaput, CEO of Clearwater Compliance, a HIPAA–HITECH consulting company based in Nashville recommends the following five steps to prepare for potential audits:

  • Establish a privacy and security risk management council and a security management process in accordance with 45 CFR §164.308(a)(1). "Time and time again, I see organizations that don't have governance over their program," he says. .
  • Complete an evaluation in accordance with 45 CFR §164.308(a)(8) to assess Security Rule "black letter" compliance and to ¬understand the complete regulation. Use the provisions in the Security Rule as your checklist.
  • Complete a risk analysis in accordance with 45 CFR §164.308(a)(1)(ii)(A) to assess your risk and determine your security posture. Then initiate a corrective action plan for any risks you find. HIPAA requires a risk analysis, which your organization should conduct at least annually, says Chaput. Review the threats and vulnerabilities your organization faces. HIPAA requires a risk analysis, but many organizations have not done this. "It's a huge positive step to get that done," he says.
  • Complete an assessment of compliance with the Privacy Rule using 45 CFR §164.530 administrative requirements as a guide. The Privacy Rule addresses issues such as policies, procedures, and training your workforce. Use the rule as a checklist for what you need to do.
  • Document and act upon a corrective action plan for Security and Privacy Rule compliance and overall risk management in accordance with 45 CFR §164.308(a)(1)(ii)(B). "This is your to-do list," says Chaput. Demonstrating that you have finished your corrective action plan will go a long way to demonstrating compliance, he says.

Editor’s note: The following tip is adapted from an article in the November 2011 Briefings on HIPAA.

Most Popular