Office for Civil Rights Selects Vendor for Next Round of HIPAA Audits – Five Things You Should Do to Prepare

The Office for Civil Rights (“OCR”) has selected Ashburn, Virginia-based FCi Federal to conduct the next round of HIPAA audits mandated by the HITECH Act.  OCR views the audits as a compliance tool that will hopefully get out in front of industry problems before they happen.

This round is different than the first round in that business associates, as well as covered entities, will be subject to the audits.  OCR has already started the process of verifying contact information for the entities that are within the potential scope of the audits.  OCR will be releasing an updated audit protocol closer to the start of the audits.

Here are five practical steps that covered entities and business associates should take to prepare for the audits (and to improve your overall security posture, in general)

1. Conduct and Document a Risk Analysis.  The HIPAA Security Rule requires that all covered entities and business associates conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information.  A good place to start your risk analysis is with the OCR audit protocol and NIST Special Publication 800-53.  Both provide a good baseline of HIPAA Security Rule compliance.
2. Create an OCR “Welcome Binder”.  Use the OCR audit protocol to create a binder of information that contains all that OCR will request upon their arrival.  This will include items like your latest risk analysis, policies and procedures, and a designation of a security official.  Creating the binder is a great way to identify gaps in your security posture.
3. Document the Designation of a Security Official.  The HIPAA Security Rule requires that covered entities and business associates identify an individual who is responsible for the development and implementation of the policies and procedures required by the Security Rule.  All too often organizations know who is responsible for security, but they have failed to document the fact that the organization has designated the individual as the HIPAA Security Official.
4. Inventory Your Business Associates and Subcontractor Business Associates.  The HIPAA Privacy Rule requires that all covered entities have business associate agreements in place with their business associates and that all business associates have subcontractor business associate agreements in place with their subcontractors.  It’s important to know and document who are your business associates and subcontractors and ensure that you have a HITECH-compliant business associate agreement or subcontractor business associate agreement in place.
5. Have an Incident Response Plan and Know Who to Call.  The HIPAA Security Rule requires that covered entities and business associates implement policies and procedures to address security incidents.  From a practical perspective, organizations should create a list of the team they will call in the event of a security incident, this can include computer forensics experts, IT security consulting firms, and legal counsel experienced in breach response and mitigation.

Following these five steps will help improve your organization’s security posture and better prepare you for the impending OCR HIPAA audits.