The US Office of Civil Rights (OCR), part of the Department of Health and Human Services, plans to audit about 150 HIPAA covered entities during 2012. Twenty of those audits will be part of a pilot phase being carried out to fine tune the agency’s auditing procedures.
The website HealthcareInfoSecurity recommends taking the following actions to prepare for an audit:
- Addressing the entire life cycle of electronic and hard copy protected health information, plus identifying where such information is created throughout the organization, how it is maintained, and how it is disposed of;
- Creating a compliance cycle that regularly modifies policies and training in response to recurring issues and emerging threats; and
- Conducting a comprehensive review of policies, procedures, other documentation, and training.
This approach can be useful whether or not an organization has been notified of an impending audit, and can be applied to research as well as clinical compliance programs.