Oct

10

OCR official answers audit questions

By Dom Nicastro

Editor’s note: The following excerpt from the September Briefings on HIPAA is the fifth in a series of questions about the HITECH-required Office for Civil Rights (OCR) HIPAA compliance audits answered by Susan McAndrew, JD, deputy director of health information privacy for OCR.

Will enforcement be an audit component?

The audits won't be incident-driven, so a breach or violation won't be necessary to trigger an audit. "With audits, there is no necessary precipitating event," says McAndrew. "Audits are a type of review that serves more as a compliance improvement tool than an investigation of a particular violation that may lead to sanctions and penalties."

However, OCR isn't ruling out enforcement actions in response to audit results.

"Vulnerabilities and weaknesses found during the audit may need to be addressed through corrective action, and if serious compliance issues are uncovered in the course of the audits, those also must be addressed," she says. "Audits may uncover compliance issues that may trigger an enforcement action."

OCR also must decide whether to continue its audits beyond 2012.

OCR will evaluate the audit program and determine whether it is a good use of resources, McAndrew says. These determinations will influence future decisions about what to do with the findings beyond the end of the current contract in 2012.