How Many HIPAA Audit Programs Are There and How to Prepare

There are several HIPAA audit programs, but the most well-known ones are the Office for Civil Rights (OCR) audit program and the Healthcare Information Trust Alliance (HITRUST) audit program.

The OCR audit program is a mandatory audit program that was established to ensure compliance with the HIPAA Security Rule. The program was introduced in 2011 and has been ongoing since then, with a total of 166 audits conducted as of 2020.

To prepare for the OCR audit program, it's essential to have a robust risk analysis in place, which includes identifying and mitigating potential risks and vulnerabilities. This will help you demonstrate your compliance with the HIPAA Security Rule.

If this caught your attention, see: Kyc Program

There are two main types of HIPAA audit programs: the Office for Civil Rights (OCR) Audit Program and the Centers for Medicare and Medicaid Services (CMS) Audit Program. Both programs aim to ensure compliance with HIPAA regulations.

The OCR Audit Program focuses on HIPAA Rules compliance, covering aspects such as patient rights, privacy, and security. This program conducts both desk audits and on-site audits to assess compliance.

The CMS Audit Program, on the other hand, focuses on HIPAA compliance in the context of Medicare and Medicaid, specifically examining claims and billing processes.

Worth a look: Pcard Program

Wave 1 of the Audit Program included 20 covered entities, divided into four different groupings based on their size and use of Health Information Technology (HIT).

The first wave of the Audit Program had a diverse range of covered entities, including 10 providers, 8 health plans, and 2 clearinghouses.

Level 1 entities, which are large providers or plans with $1 billion or more in revenues that use HIT extensively, were among the covered entities in Wave 1.

Self-insured health plans, including employer-sponsored health plans of businesses unrelated to the health care industry, were also chosen for the first wave of the Audit Program.

The four groupings of covered entities in Wave 1 were based on their size and use of HIT, with Level 1 entities being the largest and Level 4 entities being the smallest.

Level 2 entities had revenues between $300 million to $1 billion and used both paper and HIT enabled workflows.

Community hospitals and regional pharmacies with revenues less than $50 million and little to no use of HIT made up the Level 4 entities.

You might enjoy: Under Hipaa a Covered Entity Ce Is Defined as

The OCR Enforcement and Assistance section of the HIPAA audit program is a crucial aspect to understand. The OCR Audit Program is intended to serve as a compliance improvement tool rather than an enforcement tool.

Leon Rodriguez, Director of OCR, has stated that OCR's tolerance for noncompliance is decreasing. This means that covered entities can expect increased enforcement efforts from the OCR.

If an audit indicates serious compliance issues, it may trigger a separate enforcement investigation by OCR. This can be a serious consequence for covered entities.

OCR will offer more technical assistance to small providers, as well as other guidance for the industry. This is a positive step towards helping covered entities understand and comply with HIPAA regulations.

The HITECH "Omnibus Rule" amending several HIPAA Security and Privacy Rule provisions is expected to be issued "very soon" according to Leon Rodriguez. This will bring significant changes to the HIPAA regulations and covered entities should be prepared.

Take a look at this: How Many Administrative Areas Apply to Hipaa Regulations