By Jack Anderson
April 6, 2016
If you were lucky enough to not receive one, here is the questionnaire that is going out to all potential audit winners. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/questionnaire/index.html
The only good thing about these audits is that instead of the auditor just showing up on your doorstep one fine morning you get a little bit of warning. This should also serve as an early warning to those who have not received the questionnaire because in one form or another you will be audited soon.
Who will audit you and when is the only question. If you have signed a business associate (BA) agreement then the one who will want to audit you will be the company that required you to sign the agreement. The reason will be that HHS requires them to receive “satisfactory assurances” that you are living up to the terms of the agreement.
As is usual with HHS and their enforcement arm OCR, the definition of satisfactory assurances is open to interpretation. Unfortunately for you, the interpreter will be someone else.
It may well be that your audit will start with a questionnaire. The same way as the lucky folks chosen for audit by HHS. This could range from a simple HIPAA Check List to something similar to the HHS questionnaire.
Another approach utilized by Figliozzi is a desk audit where they ask you send them certain documents documentation of security awareness training for your staff.
If you look around your office and find that you don’t have these document readily available you might want to contact me to discuss getting them in place in the next 72 hours. You will sleep better knowing you are ready for that audit.
Jack@compliancehelper.com