While the second round of HIPAA audits might not be here as soon as expected, they’re coming soon. And it’s important to comply since there’s a good chance that some audits will carry financial penalties, according to the HHS Office for Civial Rights (OCR).
The HIPAA-covered entities that will be audited have already been randomly chosen. They include healthcare providers, healthcare clearinghouses, insurance companies and business associates.
"You cannot submit your name for an audit investigation, and you cannot submit the name of the hospital next door," Geraldine Davis, an OCR senior health information privacy specialist said at the American Health Information Management Association (AHIMA) annual convention. "It's a random methodology."
Privacy and security of personal health data is a very serious matter for anyone handling personal health data.
The 23 resolutions the OCR has settled for cash payments since 2008 have ranged from $215,000 for a small Washington county to $4.5 million for a university and teaching hospital in New York, according to. Since 2011, the OCR has collected a total of $26 million in fines.
"We will be investigating large hospitals, small hospitals, practices, insurance companies and individuals," Davis said at the conference.
Every entity covered under HIPAA is required to do a risk analysis routinely and also after a breach is discovered. This is meant to reduce harm to the data. The covered entity is ultimately responsible for the personal health information (PHI) in their systems. Now is the time to prepare for a HIPAA audit.