• Are You Ready for The OCR’s Visit?

  • The audits by the Health and Human Services Department’s Office for Civil Rights (OCR) are slated to begin early this year. 

    Of the 350 entities selected, there will be 232 healthcare providers, 109 health plans, and nine healthcare clearinghouses. The business associates will include 25 Information Technology companies and 15 non-Information Technology companies all working within the healthcare industry. The OCR plans to audit 150 entities and 50 associates for compliance with security standards, 100 entities for compliance with privacy standards, and 100 for compliance with breach notification standards.

    The OCR has been transparent on topics it will target. From the way patients access and obtain their data to breach notification policies, the OCR will cover a wide range of functions that are listed in detail on its site.

    Content that was created by the OCR for the HHS website states “the use of health information technology continues to expand in health care. Although these new technologies provide many opportunities and benefits for consumers, they also pose new risks to consumer privacy. Because of these increased risks, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) include national standards for the privacy of protected health information, the security of electronic protected health information, and breach notification to consumers. HITECH also requires HHS to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules.”

    The top five issues which were found and resulted in the corrective actions were: 

    • Impermissible Uses & Disclosures

    • Safeguards 

    • Access

    • Administrative Safeguards

    • Technical Safeguards

    As your organization reviews the policies, procedures and guidelines that support HIPAA and HITECH standards, the OCR will look into security, privacy and breach notification rules to analyze risk, safeguards and implementations, especially those associated with electronic health information and device encryption.

    Smart healthcare executives will use the waiting period before audits to begin assessing risk, preparing staff and reviewing policies. You don’t need an audit to have a visit from the OCR. 

    Judith Lindsay, CHP and CEO of JAL Consult tackles all the elements of HIPAA compliance puzzle. Successfully assisting organizations to make sense of it all by implementing the correct policies and procedures that are reasonable and appropriate for their entity. Judith provides consulting, training and is available for speaking engagements. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com, Twitter @ judithconsult, LinkedIn -- www.linkedin.com/in/judithlindsay