Deven McGraw: HIPAA audits will require quick response

Covered entities picked for HIPAA program desk audits will be required to submit documentation within 10 business days, said Deven McGraw, deputy director of health information privacy at the U.S. Department of Health & Human Services' Office for Civil Rights (OCR).

The material will deal with basic HIPAA requirements and "they should be able to move on this quickly," McGraw told

At the same time, the protocol for the audits, released in April, has been described as "dense," with more than 180 areas of inquiry. It includes risk analysis and risk management, notices of privacy practices and response times to requests for access.

"We've done a lot of work to make it much more comprehensive," McGraw said.

OCR is still verifying contact information for entities that will be in the selection pool, she added. Because its database of business associates isn't robust enough, covered entities will be asked to add their BAs to the pool. Covered entities will be audited first. A total of 200 to 250 organizations will be audited starting this summer, she said.  

However, organizations that have not been asked to verify contact information aren't out of the woods yet, she said. Because OCR is working with multiple databases, not all organizations that will be part of the pool have been contacted.

Those who have been contacted especially should review the protocol and make sure they can provide the required documentation quickly.

"We expect the protocol to be a very good self-assessment tool for entities. … It's a really good protocol for just getting your house in order from a HIPAA compliance standpoint," she said.

To learn more:
- here's the interview