Risk of Random Selection for an OCR Audit: 1%-5%
In July of this year, the OCR began Phase II of their HIPAA Compliance Audit process. They randomly-selected 167 Covered Entities for a “desk audit” and plan to conduct an additional 50-75 onsite audits over the course of the year. A similar process will be used to select and audit a sample of Business Associates beginning in September.
Given the hundreds to thousands of Covered Entities and Business Associates in any particular category, the risk of any single organization being randomly-selected for an audit is very low, in the range of 1-5%. But random selection isn’t the only way to qualify for an OCR audit.
Risk of Audit Post Breach: 100% for breaches of 500 records or more
If your organization experiences a breach exposing the records of more than 500 individuals, the risk of being audited goes to 100% – the OCR audit becomes compulsory. In addition, the OCR recently announced that it will “redouble its efforts to investigate smaller breaches” (National Law Review). So a breach of any size automatically increases your risk of an audit. But what are the risks of a breach?
Risk of a Data Breach is approximately 90% for covered entities
The Ponemon Institute reported that 91% of healthcare organizations experienced a data breach in 2014. They reported a similar overall breach rate in their 2015 report – 89% had had at least one breach resulting in the exposure of patient data in the previous 24 months. The majority of the breaches affected less than 500 records, but 45% of the organizations sampled had been breached five times or more! The OCR is more likely to audit organizations that have experienced multiple breaches.
The news on Business Associates (BAs) was a little better but not great. In 2015, 61% of the business associates sampled reported at least one data breach resulting in PHI exposure. Twenty-eight percent (28%) reported being breached two or more times.
Bottom line: There’s probably an audit in your future. Get compliant today!
Don’t gamble your own or your organization’s future on the odds that you won’t be randomly selected. The risk of coming to the OCR’s attention as the result of a breach are very high – and growing as the frequency of breaches increases and the OCR casts a wider net. Reduce your risk of financial hardship by getting your organization into compliance asap.