HIPAA Audit Lottery

The first stage of winning an HHS OCR HIPAA audit is being one of the 500 covered entities and 200 business associates who receive the OCR screening survey. While this is not a guarantee of an audit your odds have just gotten a lot better (or worse). Out of millions of entrants in the lottery, the field will be narrowed considerably. If you want to get an advance look at the survey go to http://www.reginfo.gov/public/do/PRAViewIC?ref_nbr=201405-0945-002&icID=211635 . From there you can download a copy of the 14 page survey.

From this pool an undisclosed number of winners will be chosen for an unannounced audit. Whether you get the survey or not you should probably take a few minutes to assess your audit readiness because the OCR audit is not the only way to win. An audit could be triggered by a patient complaint, a whistleblower, a breach by you or someone else in your HIPAA custody chain, a state attorney general, or just a business partner or client with whom you have a business associate agreement.

What are the key elements you should look for? An up-to-date (less than 12 months old) HIPAA risk assessment performed to meet the NIST standards, written policies and procedures tailored to your organization, and documented training and awareness for your staff. Obviously an audit will involve more granularity but this is where they will start. If you fail any one of the three you will probably fail the audit.

So, how do you enter this lottery? You are entered automatically, without your permission, by being an organization or person that accesses, transmits, stores, or creates protected health information (PHI).

Keep an eye out for the envelope from OCR and also keep an eye on your HIPAA compliance. If you need help or more information let me know at Jack@compliancehelper.com .