It also specified how and when to return the requested information to the auditor. OCR expected covered entities and business associates who were the subject of the audit to provide requested information within 10 business days of the request for information.
OCR notified selected covered entities between 30 and 90 days prior to the anticipated onsite visit. After fieldwork was completed, the auditor provided the covered entity with a draft final report; a covered entity had 10 business days to review and provide written comments back to the auditor. Audits were primarily a compliance improvement activity. OCR reviewed the final reports, including the findings and actions taken by the audited entity to address findings.
Generally, OCR used the audit reports to determine what types of technical assistance should be developed and what types of corrective action are most effective. Should an audit report indicate a serious compliance issue, OCR could initiate a compliance review to address the problem. OCR did not post a listing of audited entities or the findings of an individual audit which clearly identified the audited entity.
The audit program represents one more avenues by which OCR ensures compliance with HIPAA protections of health information to the benefit of consumers. For example, the audit program could have uncovered reasons many health information breaches are occurring and help OCR create tools for covered entities to better protect individually identifiable health information. Concerns about compliance identified and corrected by an audit will serve to improve the privacy and security of health records.
The technical assistance and best practices that OCR generates will also assist covered entities and business associates in improving their efforts to keep health records safe and secure. OCR continues to accept complaints from individuals and covered entities continue to have the obligation to accept complaints from persons about their HIPAA Rule activities. The audit protocol was designed to work with a broad range of covered entities. The audit procedures varied depending on the size and complexity of the entity being audited.
No, the scope of the audit program did not extend beyond the Privacy, Security, and Breach Notification Rules. The Department entered into a contract with the audit contractor to conduct the audits on its behalf. Covered entities were not responsible for remuneration of the auditing firm. For the pilot phase of the audit program, OCR identified a pool of covered entities for audits that broadly represent the wide range of healthcare providers, health plans, and healthcare clearinghouses that operate.
Using this spectrum of audit candidates permitted OCR to assess HIPAA compliance in a variety of entities with unique operating environments and relationships with patients. Among the specific criteria used to select particular candidates were whether the entity is public or private, the size of an entity, affiliation with other healthcare organizations, the type of entity and relationship to patient care, and past and present interaction with OCR concerning HIPAA enforcement and breach notification.
If you are selected for an audit, OCR will supply you with instructions on exactly how to reply. With this in mind, take care to conduct all correspondence with OCR in a timely manner, adhering to the schedule that they set. Often it is appropriate to assign one individual to be responsible for these communications. As the audit process proceeds, be sure to make comprehensive records of all your correspondence.
Your legal counsel, whether in-house or external, is another essential part of your OCR audit response team. Keep them up-to-date throughout the entire process, giving them access to all communications between your organization and OCR.
Within your organization, transparency and coordination between the relevant officials is absolutely key. If OCR delivers a finding that you perceive to be inaccurate, you should speak up — OCR generally gives organizations the opportunity to respond to the issues they raise. Use documented evidence when possible and be able to justify your security and compliance strategy.
One crucial thing to remember about HIPAA is that you have some flexibility to meet many of its requirements in various ways, but you must be able to provide the rationale for your decisions. Recently, we discussed how organizations might employ various approaches to session timeouts to meet the HIPAA implementation specification for Automatic Logoff on devices with access to ePHI. When you communicate with OCR, be clear and deliberate. Craft your messages carefully, and provide the requested information in transparent detail — but avoid supplying arbitrary or superfluous data.
Be timely in all of your responses, and ensure that you have a qualified and responsive team in place to handle the audit process. In this case, you may be asked to undergo voluntary compliance activities, or possibly a more detailed review. For very serious issues, your organization may be required to take actions to correct your issues; in some cases, you may have to go through resolution agreements.
In such situations, we recommend working with consultants and attorneys who have experience dealing with the OCR. An audit is a nerve-wracking experience for many, but you can take steps to minimize both your risk and the disruption. With the right actions, you can get through the audit smoothly and focus your attention on helping patients. What Does Protocol Coverage Include? Security Rule requirements for administrative, physical, and technical safeguards.
Requirements for the Breach Notification Rule. A few additional guidance points from the OCR include: Only requested data submitted on time will be assessed. All documentation must be current as of the date of the request. If yours is a desk audit, auditors will not have the opportunity to contact you for clarification or to request additional information, so it is critical that your documents adequately reflect the program. Do not submit extraneous information as it will increase the difficulty for the auditor to assess required items.
The evaluation results and recommendations were provided to OCR in September OCR greatly appreciates support for its efforts to develop and enforce strong health information privacy and security protections. To sign up for updates or to access your subscriber preferences, please enter your contact information below.
Washington, D. A-Z Index. Selected entities: Selected entities: Received advanced notice of at least a week to coordinate personnel and prepare responses to any minor, clearly-defined requests. Did not receive any additional findings or observations as part of this evaluation. Had open lines of communication for any questions and to avoid any surprise requests.
Were not subject to on-site visits. Were not provided opportunities to refute findings noted in their audit report. Connect With OCR.
0コメント