The word “audit” has earned a dubious rap, causing anxiety in workplaces across the land. However, most audits serve as a preventative measure. It alerts the organization to areas that need attention before a threat becomes something much more.
In regard to HIPAA compliance, a random audit by an outside auditor is highly unlikely. Realistically, the Office of Civil Rights (OCR) does not have the staff to target healthcare providers in this way. In reality, an OCR audit typically takes place after some type of violation or breach event.
For instance, let’s say a security breach occurs or someone reports a violation. These kinds of incidents trigger OCR HIPAA audits.
In most cases, however, the trigger incident isn’t the biggest issue faced by organizations that violate HIPAA regulations. Often, HIPAA fines usually have little to do with what triggered an event. You need to find the root cause and remedy it as quickly and completely as possible.
While you want to avoid an OCR audit at all costs (because it occurs as the result of a breach and the fines can be quite expensive), at the same time, you want your organization to be audit-ready, always in a state of preparedness for an OCR audit.
There are various types of OCR audits, but we’re focused here on the HIPAA audit, a deep dive into your organization’s compliance with all HIPAA regulations.
You’ll need to bring together key people within your organization to accomplish the task of becoming audit-ready. Early on, we recommend seeking guidance from the Office of the National Coordinator’s Guide to Privacy and Security.