OCR Discusses Upcoming HIPAA Audits
As Business Associate Agreements Amendment Deadline Approaches, OCR Discusses Upcoming HIPAA Audits | HL Chronicle of Data Protection
As Business Associate Agreements Amendment Deadline Approaches, OCR Discusses Upcoming HIPAA Audits
Security risk assessments and breach notification will be key areas of focus for the audits. “If you don’t do a periodic risk analysis,” Sanches explained, “you won’t know where you” stand. Sanches also stated that although such an analysis can involve significant resources, it’s better to have one in hand than to have to scramble to prepare one at the time of an audit. Recent HIPAA enforcement actions—which have resulted in multi-million dollar settlements with OCR—underscore the importance of conducting a thorough risk assessment and developing an effective HIPAA compliance program.
Sanches’s remarks on the OCR audit program precede an important upcoming HIPAA deadline. Specifically, September 22, 2014, will be the last day for covered entities and business associates to amend “grandfathered” business associate agreements (BAAs)—meaning those BAAs that had been in place as of January 25, 2013, and have not been amended since that time—to comply with the HIPAA “Omnibus” Final Rule released in January 25, 2013. The Final Rule required that certain changes be made to BAAs, including requiring business associates to comply with applicable Security Rule requirements and to report breaches of unsecured PHI. HIPAA covered entities and business associates that have not amended their BAAs since January 25, 2013 to comply with the Final Rule should ensure that they have done so before the September 22 deadline