Three steps to prepare for a HIPAA audit
What’s the Issue?
Historically, HIPAA’s enforcement has been limited to events stemming from complaints and the associated civil monetary penalties were often considered to be insufficient to deter other CEs.
Going forward, indicators suggest this will change:
- HITECH’s Breach Notification Rule made privacy and security weaknesses visible and public to the point where they cannot be ignored or dismissed
- Enforcement totals for 2011 were the highest ever, exceeding $6 million in fines
- OCR’s new director is an experienced prosecutor
HIPAA audits are just the latest enforcement channels. OCR still responds to complaints and reported breaches, but has also increased its staffing resources through hiring and training in the areas of privacy and security enforcement.
As OCR takes an aggressive approach towards oversight and enforcement, CEs should reconsider their past practices for HIPAA compliance so that they are well prepared for the new paradigm.