How The ORC’s Audit Program Crashed a Cocktail Party?
Last month I was in The Emerald City- (Seattle, Washington) attending to business, renewing old friendships and taking in the beautiful sights-of a place I once called home.
During a social gathering, I introduced myself to a Covered Entity, who then proceeded to confess to me that the nonprofit which he holds the combined role of Privacy and Security Officer, was chosen for the Phase 2 HIPAA Audit Program being conducted by The Office for Civil Rights (OCR). He had received an email notification a week or so earlier from the OCR.
How fortunate is this? This is like winning the Lotto in compliance- to be able to ask questions of a covered entity who was actually chosen for the Phase 2 Audit. As a compliance geek, I wanted to learn more, know more, so I started to ask questions.
But, before I share with you my question and the answer session, I want to remind the readers of the stated purpose for the audits, as it reads from the OCR website for the Phase 2 Audits:
“<The>OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These audits will primarily be desk audits, although some on-site audits will be conducted.”
Judi: When did you get the email?
Covered Entity: A couple of weeks ago, I just haven’t had time to get to it.
Judi: I have been reading that the OCR has been encouraging those selected to get the information into them. I believe they said 10 days. (I said to myself, Oh My Gosh)
Covered Entity: They are asking about our Business Associates (BA).
Judi: Do you maintain all of your agreements in a repository with an excel spreadsheet. (Blank Stare from Covered Entity). I am sure you have your Business Associates Agreements (BAA) updated. (Me nodding, hoping the statement is correct)
Covered Entity: Sure, after the HITECH Act.
Judi: There were some significant changes with the Final Rule with the relationship of a BA and the BAA. The Final Rule made a number of changes to the required terms and conditions of a BAA, which requires Covered Entities, BA’s and subcontractors to update existing BAA’s.
Covered Entity: (Sips his cocktail, rather, he chugs the remainder of his cocktail.)
Judi: Do you require your BA’s to provide you with their Annual Risk Assessment?
Covered Entity: (Shakes his head no, while going for another cocktail and some appetizers.)
Judi: I am not sure that you knew, I am in the middle of publishing my comprehensive HIPAA Compliance Guide. Over 150 customizable policies and procedures, required forms, logs, audits, 22 Chapters containing 100 pages of updated narrative pertaining to HIPAA and the changes with The Final Rule. Let me give you my business card.
Covered Entity: Oh, I have a manual, I wrote it.
Judi: That’s wonderful. Good luck with your Audit. Since you have my card, please feel free to reach out to me, should you need some guidance or a consultant. I frequent the Seattle area often.
Judith is an accredited Certified HIPAA Professional (CHP). As the owner of JAL, Judith is your subject matter expert providing guidance to organizations within HIPAA, GLBA, False Claim and other regulatory agencies. Judith provides reasonable and appropriate compliance policies and procedures within your Compliance Program. As a guru in compliance, Judith delivers compliance employee training programs, and participates in educational speaking engagements for the industries who handle Protected Health Information. To read more about the world of compliance, subscribe to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.