The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) has delayed its second round of HIPAA audits while it works to get a Web portal up and running through which entities can submit information.
OCR senior adviser Linda Sanches, speaking at the Healthcare Information and Management Systems Society's privacy and security forum in Boston this week, said only "stay tuned" about when the audits actually will begin.
"We recently had an opportunity to update the technology we're using, giving us capabilities that we just didn't have access to before," HealthITSecurity.com quotes Sanches as saying. "OCR has held off on the start of audits so we could implement this new technology. I'm ready to go, but our technology isn't quite there yet."
The portal technology is expected to ease the human workload in the audit process by collecting, collating and analyzing audit data, according to HealthcareInfoSecurity.com.
In 2012, OCR contracted with consulting firm KPMG to conduct audits of 115 covered entities. It had announced plans to use its own staff for the second round for "desk audits," beginning this fall, of 350 covered entities and around 50 business associates.
It's now planning fewer than 200 desk audits, but more on-site, comprehensive audits than had been planned before, according to HealthITSecurity.com. For the audits, OCR made up a pool of various types of entities--such as hospitals, practices and dental offices--then created a random geographic distribution between small and large providers.
Sanches urged organizations to have a complete list of business associates and the services they provide. Those lists will be the source of the business associates chosen to be audited.
The required documentation will be the same as the previous audits, Mac McMillan, chair of the HIMSS Privacy & Security Policy Task Force, told FierceHealthIT. However, that documentation must be meticulous, according to Adam Greene, a privacy attorney with Washington, D.C.-based law firm Davis Wright Tremaine.
To learn more:
- here's the HealthITSecurity.com story
- read the HealthcareInfoSecurity.com article