Privacy & Security

OCR: Onsite HIPAA audits coming in 2017

HHS Office for Civil Rights said the chances of getting audited are slim, but officials offered advice about what they're looking for when they do conduct an assessment.
By Tom Sullivan
December 07, 2016
11:52 AM

BOSTON — An HHS Office for Civil Rights official said Wednesday that the agency will be conducting on-site audits of hospitals in 2017.

OCR currently has more than 200 audits ongoing – 167 of those focused on providers, and just last week it sent out 48 to business associates, OCR senior advisor Linda Sanches said here at the HIMSS and Healthcare IT News Privacy & Security Forum.

"We will be conducting a small number of on-site audits in 2017," Sanches added. "Obviously your chances of getting an audit are very, very low."

OCR is using the audit process, Sanches explained, to find risks and vulnerabilities the government is neither aware of otherwise nor likely to learn about through filed complaints.

[Roundup: Everything that happened at the Privacy & Security Forum

HIPAA-covered entities have 10 days to respond to a desk audit. OCR is looking for policies and procedures to address privacy rule controls, breach notification rule controls and security rule controls.

"We’re looking for evidence that you are implementing the policies and procedures," Sanches said. "Two huge problems we’re seeing are implementation of risk analysis and risk management."

John Houston, UPMC vice president and associate counsel, pointed out to Sanches and OCR regional manager Susan Rhodes that information about exactly what OCR demands is lacking.

"We do a lot of stuff we consider to be a risk assessment but there’s not clarity on what that really means from OCR’s perspective," Houston said.

Rhodes answered that OCR requires entities to look at their own universe – and added that one-size fits all risk analysis is not realistic.

"There’s a lot of guidance on our web site – a lot," Rhodes said. "We put out a lot more than is commonly understood."

Twitter: @SullyHIT
Email the writer: tom.sullivan@himssmedia.com

 The Privacy & Security Forum is happening in Boston, Dec. 5-7, 2016. 
⇒ Privacy & Security Forum Boston: What to expect
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ What's the fundamental problem with cybersecurity? Relying on the Internet

Like Healthcare IT News on Facebook and LinkedIn

Topics: 
Government & Policy, Privacy & Security, Privacy & Security Forum Boston 2016

More regional news

Franklin Square Medical Center

MedStar extends acute care at home to Baltimore

By
Andrea Fox
November 05, 2024
Andy Sajous of Ahead on AI

Why won't this expert's clients sign onto AI projects for more than 12 months at a time?

By
Bill Siwicki
November 05, 2024
Abstract of lines connected in a mesh over a map of the U.S.

Epic APIs move to USCDI v3

By
Andrea Fox
November 05, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Abstract of lines connected in a mesh over a map of the U.S.
Epic APIs move to USCDI v3

Most Read

NZ redirects digital health funds to payroll upgrade
New format for NZ's healthcare identifier and more briefs
Generative AI is this CISO's 'really eager intern'
HIMSSCast: Toward safer and more secure use of AI
Q&A: How redundancy enabled resilience after Crowdstrike outage
Will telemedicine stagnate without regulatory reform?

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

Eric Liederman at CybersolutionsMD_Healthcare Cybersecurity Forum 2024
Improve cyberdefense through collaborative decisions
Jonathan Bauer at Atlantic General Hospital_Healthcare Cybersecurity Forum 2024
Cybersecurity focus and funding grow from big events
Darren Lacey at Johns Hopkins_Healthcare Cybersecurity Forum 2024
How AI can boost cybersecurity
Dennis Chornenky at UC Davis Health_PART 2_AI in healthcare concept art Photo by Just_Super/E+/Getty Images
Chief AI officer: Multidimensional tech needs multidimensional leadership

More Stories

UC Davis Medical Center and chief AI officers
CAIOs must understand policy and business strategy, in addition to healthcare and IT
Dennis Chornenky at UC Davis Health_PART 2_AI in healthcare concept art Photo by Just_Super/E+/Getty Images
Chief AI officer: Multidimensional tech needs multidimensional leadership
Dr Der-Yang Cho at China Medical University Hospital_HIMSS24 APAC
A Taiwanese hospital's commitment to healthcare AI
Dennis Chornenky of UC Davis Health on chief AI officers
Chief AI Officer: Healthcare's hot new role demands a rare combination of skill sets
Doctor looks at a desktop computer screen in a medical office
Vendor AI Roundup: Enhanced EHR offerings designed to give practices a leg up
Dennis Chornenky at UC Davis Health_PART 1_AI in healthcare concept art Photo by Just_Super/E+/Getty Images
UC Davis Health's inaugural AI chief discusses the responsibilities of the role
Greg Garcia of HSCC at the HIMSS Healthcare Cybersecurity Forum
Work like 'a beehive, an ant colony' to protect against cyber intruders
Hands use a Medtronic device on a patient's hand to aid in testing pulse oximetry quality
Medtronic dismissed from pulse oximeter lawsuit, FDA still working on guidance