Learn About the New HIPAA Audits with OnRamp, So Your Business Is Fully Prepared.
HIPAA Audit Overview
Back in February 2014 the Office of Civil Rights (OCR) conducted a survey with a select group of Covered Entities (CE’s) and Business Associates (BA’s) to find out what they’ve been doing to secure their electronic protected health information (ePHI). This survey was done to see whom the OCR would be choosing for the next round of audits. So, what will the second audits be like?
While the first set of pilot audits involved on-site visits that thoroughly examined a wide range of HIPAA compliance issues, the upcoming audits will have a narrower scope and be conducted mainly off-site. By concentrating on specifics and having off-site audits, the OCR will be able to be more efficient and reach more BA’s and CE’s than before.
Covered Entities vs. Business Associates
For CE’s there will be 100 audits focused on the HIPAA Omnibus breach notification rule to see who’s complying, then 100 audits will be concentrated on the HIPAA Privacy Rule, and 150 audits will hone in on the security rule, thoroughly examining risk analysis.
For BA’s the audit process is a bit different. This group will be audited to determine whether or not they are complying with the risk analysis and breach notification requirements. Those BA’s selected to participate in these HIPAA audits will be notified of their upcoming audits in 2015, while CE’s will be asked to release their data in Fall 2014.
Many CE’s and BA’s feel that these audits are a burden when they actually are a blessing in disguise. Although stressful, when selected for an audit, the OCR has to dissect the computer systems and IT infrastructure so that any holes that exist are pointed out and corrected. Anyone who undergoes this process has an advantage over any other CE and BA that hasn’t undergone an audit because they have all of their issues already laid out, are able to learn from their mistakes, and are more efficient at securing their ePHI.
How To Prepare
By working with an IT provider that understands the law as outlined by HIPAA and is making a concerted and well-documented effort to maintain the confidentiality, availability and integrity of PHI, you can alleviate many of the concern for this portion of your business, especially if you must undergo an audit.
OnRamp has gone above and beyond other data center providers in the cooperative relationships we form with our customers to meet and maintain compliance. Through the use of an online, proprietary HIPAA Risk Management Tool, OnRamp guides customers through a 3-step process to evaluate and develop plans to manage the risks associated with the IT environment housed in one of OnRamp’s state-of-the-art data center facilities. The documentation that results from the process, serves as the basis for the policies and procedures generated (specific to each customer), and the Business Associates Agreement which they sign. These items fulfill some of the key requirements of HIPAA and can help in preparation for the OCRs audits.