Sep

27

OCR official answers audit questions

By Dom Nicastro

Editor’s note: The following excerpt from the September Briefings on HIPAA is the third in a series of questions answered by Susan McAndrew, JD, deputy director of health information privacy for the Office for Civil Rights (OCR).

What is the anticipated scope of these OCR HIPAA audits?

"OCR will look at overall compliance efforts as a way to ensure that effective protocols are in place for the audits of both the Privacy and Security Rules," says Susan McAndrew, JD, deputy director of health information privacy for HHS' OCR. Thus, rather than focusing its audits on a specific set of issues, OCR will be taking a general look at an entity's compliance.

Organizations selected for an audit will receive notification beforehand.

"The audit process will include standard components associated with most audits," says McAndrew.

For example, preliminary steps, such as document requests, will occur, she says. After on-site visits, auditors will send audited organizations reports and will communicate with CEs to ensure that everyone understands these reports, says McAndrew. "Audit reports generally describe how the audit was ­conducted, what the findings were, and what actions the covered entity is taking in response to those findings," she says.