By Jack Anderson
September 14, 2015
There are a number of blogs and announcements about the upcoming HHS audits. Here is a pretty good blog: http://www.privacyanddatasecurityinsight.com/2015/09/are-you-prepared-for-hhs-office-of-civil-rights-random-hipaa-audits/#page=1 , but I don’t think the risks of a business associate getting audited by HHS or their consultants are very high. There are only 1200 audits planned and most of them are for covered entities (CE). However we have heard that one of the things they will ask covered entities to supply is a list of their business associates (BA). This naturally leads to questions about the compliance levels of their business associates and whether there are BA agreements in place. So the spotlight is going to move from the CE to the BA. In preparing for these audits the CEs are going to become much more concerned about their BAs’ compliance levels. Many of them will do mini audits of their BAs. The three main points that they will assess are; current risk assessment, up to date policies and procedures, and documented staff training.
If you are chosen for an HHS audit, they have hired a firm to do primarily desk audits. If it follows the pattern of previous audits by Figliozzi and Company, it will be a letter requesting a number of documents within 10 days. These might include a formal risk assessment, copies of policies and procedures, a breach notification plan, staff training documents, and more. Failure to supply the documents in the time frame could trigger an on-site audit. Failing an audit can not only trigger fines and penalties it can trigger remediation programs and oversight by an outside auditor.
We are pleased to be partners with ACR2 Solutions. They have done over 1,000 automated risk assessments based on the NIST protocol and their clients have had a 100% audit success rate. Together we offer a program that helps you build a legal firewall around your company and our HIPAAssurer program assures your compliance.
Contact me, jack@compliancehelper.com or the other Jack, jack.k@acr2solutions.com to find out how you can be “auditproofed”