OCR Building HIPAA Audit Plan With Outside Help

Dom Nicastro, May 24, 2010

HIPAA's privacy and security enforcer has hired an outside firm to help build its HITECH-required HIPAA auditing plan, the government agency tells HealthLeaders Media.

The Office for Civil Rights (OCR), which carries out for the Department of Health & Human Services (HHS) enforcement of the HIPAA privacy and security rules, says it does not have a timetable for when the audit plan begins.

However, in an e-mail to HealthLeaders Media Thursday, May 20, OCR says it is "presently engaged in a contract to survey and recommend strategies for implementing the HITECH audit requirement."

The firm is Booz Allen Hamilton.

HITECH, signed into law by Congress February 17, 2009, requires OCR to conduct "periodic audits" of covered entities regarding HIPAA privacy and security compliance.

The contractor will help OCR with the "how" and "when" of the audit program.

Sue McAndrew, the deputy director for Health Information Privacy for OCR, told HealthLeaders Media at the 18th Annual National HIPAA Summit in February that "there are 1,000 ways to do this."

Talk of enforcement heated up this month at a national security conference, according to Mac McMillan, CEO of CynergisTek™ and one of the speakers at the Washington, DC, conference–"Safeguarding Health Information: Building Assurance through HIPAA Security."

The conference was hosted by HHS, OCR and National Institute of Standards and Technology (NIST).

MacMillan praised OCR for what he called a "proactive" approach to carrying out the provisions in the HITECH and maintaining transparency in the process. He said the longtime privacy enforcer, which this year took over enforcement of the security rule from CMS, is "doing a much better job than its predecessor."

"OCR is much more organized and is quietly getting its stuff together," says MacMillan, who has had conversations with top OCR officials. "With CMS, enforcement just didn't really fit. OCR on the other hand has been in the business of investigating privacy issues since Day 1."

Dom Nicastro Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
Facebook icon
LinkedIn icon
Twitter icon