Privacy & Security

OCR: Onsite HIPAA audits coming in 2017

HHS Office for Civil Rights said the chances of getting audited are slim, but officials offered advice about what they're looking for when they do conduct an assessment.
By Tom Sullivan
December 07, 2016
11:52 AM

BOSTON — An HHS Office for Civil Rights official said Wednesday that the agency will be conducting on-site audits of hospitals in 2017.

OCR currently has more than 200 audits ongoing – 167 of those focused on providers, and just last week it sent out 48 to business associates, OCR senior advisor Linda Sanches said here at the HIMSS and Healthcare IT News Privacy & Security Forum.

"We will be conducting a small number of on-site audits in 2017," Sanches added. "Obviously your chances of getting an audit are very, very low."

OCR is using the audit process, Sanches explained, to find risks and vulnerabilities the government is neither aware of otherwise nor likely to learn about through filed complaints.

[Roundup: Everything that happened at the Privacy & Security Forum

HIPAA-covered entities have 10 days to respond to a desk audit. OCR is looking for policies and procedures to address privacy rule controls, breach notification rule controls and security rule controls.

"We’re looking for evidence that you are implementing the policies and procedures," Sanches said. "Two huge problems we’re seeing are implementation of risk analysis and risk management."

John Houston, UPMC vice president and associate counsel, pointed out to Sanches and OCR regional manager Susan Rhodes that information about exactly what OCR demands is lacking.

"We do a lot of stuff we consider to be a risk assessment but there’s not clarity on what that really means from OCR’s perspective," Houston said.

Rhodes answered that OCR requires entities to look at their own universe – and added that one-size fits all risk analysis is not realistic.

"There’s a lot of guidance on our web site – a lot," Rhodes said. "We put out a lot more than is commonly understood."

Twitter: @SullyHIT
Email the writer: tom.sullivan@himssmedia.com

 The Privacy & Security Forum is happening in Boston, Dec. 5-7, 2016. 
⇒ Privacy & Security Forum Boston: What to expect
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ What's the fundamental problem with cybersecurity? Relying on the Internet

Like Healthcare IT News on Facebook and LinkedIn

Topics: 
Government & Policy, Privacy & Security, Privacy & Security Forum Boston 2016

More regional news

View of Mount Sinai Health System buildings in Manhattan

Mount Sinai Health announces new Center for AI and Human Health

By
Andrea Fox
November 25, 2024
Clinician stands, working with a tablet

Yale study shows how AI bias worsens healthcare disparities

By
Mike Miliard
November 25, 2024
A person checking their smartwatch-tracked fitness data on their smartphone.

Singapore tackling chronic diseases with wearables

By
Adam Ang
November 25, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Clinician stands, working with a tablet
Yale study shows how AI bias worsens healthcare disparities

Most Read

CrowdStrike all but assures Capitol Hill: Never again
Korea's largest hospital bags APAC's first Stage 6 of new INFRAM
HHS investing $75 million in rural healthcare infrastructure
GPs cry My Health Record 'overhaul' and more briefs
FCC set to require georouting for 988 Lifeline calls, enhancing access to local services
Sens. Warner & Wyden seek healthcare cybersecurity mandates in new bill

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

Paul Wilder at CommonWell Health Alliance_Part 1_Digital binary code with springing lock Photo by JuSun/iStock/Getty Images Plus
Notching up FHIR at scale - Part 1
David Miles at Oklahoma Heart Hospital_Part 2_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
Switching from Cerner to Epic? Meet a CIO who made it out alive
David Miles at Oklahoma Heart Hospital_Part 1_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
The CIO of an all-digital hospital walks readers through its successes
Dr Alice Sutedjo Lisa at SMC Telogorejo Hospital_HIMSS24 APAC
Assisting the elderly in digital care

More Stories

David Miles at Oklahoma Heart Hospital_Part 1_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
The CIO of an all-digital hospital walks readers through its successes
David Miles of Oklahoma Heart Hospital
Deep dive: A tour of all-digital Oklahoma Heart Hospital, where automation is the norm
Healthcare workers looking at X-ray images on monitors
Streamlining healthcare operations with multicloud-by-design
Nurses review a patient record on a digital tablet
All private hospitals in Singapore to connect to...
Dr Alice Sutedjo Lisa at SMC Telogorejo Hospital_HIMSS24 APAC
Assisting the elderly in digital care
Dr. Mehmet Oz
Trump picks Dr. Mehmet Oz to head CMS
Agency cybersecurity infosec illustrated by many colored streams harnessed by a lock
OIG again deems HHS' infosec program ineffective
Joanna Lucas, RN, of St. Luke's University Health Network
Case and referral management technology gets big results for St. Luke's