OCR launches privacy, security audits — officially
The Office for Civil Rights (OCR) released formally its plans for HITECH-required HIPAA privacy and security audits on its website Nov. 8.
OCR posted on its website that is expects the initial round of audits to begin this month. And it also announced for the first time that in addition to covered entities, business associates (BAs) will be eligible for the audits. But it added that BAs would be included in the audits only in the “future.”
OCR will audit “as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and healthcare clearinghouses may all be considered for an audit.”
“We expect,” OCR continued, “covered entities to provide the auditors their full cooperation and support and remind them of their cooperation obligations under the HIPAA Enforcement Rule.”
OCR said it expects a typical audit to last about 30 days, from the notification letter to the initial report. It says it plans to provide entities with 30- to 90-day notice before an onsite visit.
The information released this week includes audit material in OCR’s “pilot phase.” After this first round of audits, OCR may tweak its plan based on reviews. In this pilot phase, every audit will include a site visit and result in an audit report. During site visits, OCR said, auditors will interview key personnel and observe processes and operations to help determine compliance.
“Prior to finalizing the (audit) report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified,” OCR wrote. “The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity.”
Entities will have 10 business days to review the auditor’s report.
Will OCR hand out fines for violations? In its website report, OCR said if an audit indicates a “serious compliance issue,” it may begin a compliance review of that entity. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity.
“Audits are primarily a compliance improvement activity,” OCR wrote. “OCR will review the final reports, including the findings and actions taken by the audited entity to address findings. The aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA rules.”
OCR also included in its report this week a sample audit notification letter.
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!
Click here
What about internal auditors of the govt contractors (partners” where the biggest thefts and violations are occurring and on- going which is $4 million on my records alone and 500 witnesses who filed the fraud reports and Vangent violated contract and never forwarded to CMS estimates its over a trillion? When will the real violations cease. Altering diagnosis codes by claims processing contractors is illegal and its costing lives and bad injuries as doctors rely on it for medical history. See the congressional study done several years ago. Who are the auditors, the thieves and violators affiliates? This is why the people are in the streets as the lawlessness inside the govt has to cease. And cancel the contract with the Medicare fraud line as they are a joke and arrogant towards the public. Never should fraud end up to be in the hundreds of millions as my personal experience with Medicare fraud is that we used to be able to stop this by respecting those who called in and after a ‘ pattern’ it was obvious crimes were being committed and we didn’t have computer systems that are available to day that do no good when there’s an offline system being used hidden from the contract auditors insides the ‘ partners.’ Why did Trailblazers create 15 phony Medicare numbers to create multiple claims out of one and pocket all but one and Medicare coordination of benefits facilitate all of this by altering the official records they get bi weekly form agencies and employers which 3 Medicare judges said was accurate but no one can enforce the laws. So the whole thing is a sham as Medicare continues to be stolen by the very ones in charge and having a few corrupt high level officials in place that have been documented as being involved will continue until the Justice dept ; cleans’ house at their Professions Standards office and prosecute some whose actions have contributed to intentional deaths. This would be considered murder if Congress hadn’t given immunity form crimes and internal investigations. And not docketing in and making the routine decision on whether to investigate or not on fraud reports against them has resulted in Congress being intentionally lied to by the Director of Medicare fraud which is suppose to be a crime in itself. Linda Joy Adams with files and monies missing in 5 agencies under the control of Affiliated computer services and interlocking affiliates with adequate documentation according to US attys office if any law enforcement could get the political appointees to investigate.