Welcome to 2017.  If you haven’t heard, the Health and Human Services Office of Civil Rights (OCR) will perform several hundred on-site HIPAA audits this year. The possibility of being selected is highly unlikely, but if you are one of the “lucky” covered entities that is audited you had better be ready – with all your ducks in a row. Current HIPAA training is only one duck, you need at least four more.  So, prepare to go duck hunting and get them in order sooner rather than later.

There are two very important issues to understand about this new process and the protocol the OCR implemented in 2016. The OCR now requires documented proof that covered entities and business associates have …

1. Implemented HIPAA specific Policies and Procedures (P&P) in 2016 showing a plan for risk management.
2. Documentation, including the P&Ps and logs of HIPAA activity, in electronic format for uploading to their web site.

Don’t forget the OCR expected the following for a HIPAA desk audit starting in 2015 and 2016.

1. A current annual Security Risk Analysis (SRA) based on the OCR SRA questions and/or the NIST 800 standard.  In addition, a risk assessment that includes privacy is needed as well.
2. Current HIPAA training that includes privacy and cyber security training for all staff with access to PHI and ePHI.

The real takeaway?  The OCR expects to automate auditing and all covered entities and business associates will be audited by 2019.  The OCR expects covered entities and business associates to have HIPAA compliance documentation in electronic format starting in 2016.  Make sure your HIPAA report, corrective actions and logs are in electronic format and that you can show improvement in your HIPAA compliance.

Call-To-Action: If you haven’t started and done all of the necessary steps to be HIPAA compliant, it’s time to take action and have a Risk Assessment done immediately and make sure it’s delivered and available in electronic format, preferably online.