OCR Identifies HIPAA Audit Goals
"The audits are seen as an opportunity to gather information about exposures in the industry and proactively identify certain issues ahead of time before they result in breaches across the industry," Baker says. "The results of the audit will be a learning opportunity for the entire industry."
OCR is working on a model for objectively selecting organizations for audit based on risk factors (e.g., size, type of entity).
"The audits will not simply focus on organizations that had an incident," Baker said. "The initial focus will largely be on covered entities, as this is a group that's identifiable today."
McAndrews told HealthLeaders on August 5 that OCR is unsure whether to audit business associates in the first round.
Entities will receive advanced notice before any audits. And though OCR is budgeted for 150 audits, Baker said it's "unlikely" the auditors will get through that many by the end of 2012. OCR plans to release aggregate findings across all audits as a "learning process for the industry," Baker says.
"OCR expects that organizations are performing risk assessments," Baker adds. "Risk assessments are not expected to be 'clean,' but it's important that organizations have corrective action plans in place and are diligently working to remediate issues."
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
- As Medicare Advantage Cuts Loom, Disagreement Over Program's Stability
- Surgical Checklists Unused in 10% of Hospitals, CMS Data Shows
- Doctors Feel Pressure to Accept Risk-based Reimbursement
- A Fresh Look at End-of-Life Care
- Heart Attack Patient Costs Skyrocket Beyond 30 Days
- 3 in 4 Patients Want E-mail Consultations
- 3 Insider Tips on Cutting Costs without Strangling Growth
- ACGME Chief Sees 'Huge' Risk of Error in Proposed Assistant Physician Licensure
- 4 Tectonic Shifts Shaking Up Healthcare
- CVS Ramps Up Retail Clinics with Provider Affiliations