8 steps providers can take to be HIPAA audit ready

HIPAA audits are coming, and there are steps providers can take to make sure they are ready to go in the event they are "the lucky winners," Rebecca Williams, RN, partner and chair for the Health IT & HIPAA Practice group at Davis Wright Tremain LLP, said during the 24th National HIPAA Summit in the District of Columbia on Tuesday.

The Department of Health and Human Services Office for Civil Rights is looking for a diverse pool of covered entities and business associates for the audits, meaning any organization can be impacted, Williams said. OCR Director Jocelyn Samuels said Monday that the effort will comprise more than 200 desk and on-site audits.

Currently, OCR is sending out emails to providers to verify contact information; organizations should make sure they have received the email--including checking spam folders--and that the right people will be in contact with OCR throughout the process, Williams said.

Steps organizations should take to prepare for and address a possible audit, according to Williams, include:

  • Respond to the request: "If you ignore this letter, OCR can still find you, they know where you live," she quipped.
  • Have an audit response team ready to go now
  • Read the request carefully: Check if it's a privacy or security request, calendar the timing and know whether it's an on-site or desk audit.
  • Get all data for the audit response in on time: OCR may not assess data that comes in late, Williams said.
  • Make sure data is current and on target: Don't submit extraneous information, she said.
  • Recognize that the audits will be conducted digitally through a secure portal, and make sure your organization's information can all be submitted electronically.
  • Know your business associates: "You will be asked to identify your business associates. I know OCR says, and I recommend, have lists and contact information for BAs. Do that now," Williams said.
  • Update your risk analysis: "If you have not done one since 2003, it's time for a new risk analysis. ... If  your risk analysis does not have ransomware addressed, it should," she said.

This is like an "open book test" according to OCR, Williams said. "All the questions are there [protocols] all the answers are there [regulations]. Prepare for this now."