The Office for Civil Rights (OCR) has chosen a vendor to conduct the second round of Health Insurance Portability and Accountability Act (HIPAA) audits.
According to FierceHealthIT, FCi Federal has been selected as the vendor. Once the audits begin, FCi Federal will make their way across doctors' offices, hospitals, chiropractors, dentists, and other facilities operated by covered entities to ensure they are compliant with the HIPAA Security, Privacy, and Breach Notification Rule. HIPAA violations are somewhat rare in the grand scheme of things, but they do occur. An oncology practice, for instance, recently settled a HIPAA violation by agreeing to pay $750,000. Reports indicate that Cancer Care Group failed to conduct a risk analysis after it experienced a widespread data breach back in July 2012.
Of course, it should come as little-to-no surprise that a second HIPAA round of HIPAA audits are underway. As noted by OCR Director Jocelyn Samuels, they've been planning round two audits for a while now. But in order to perform these audits, it must select a vendor, which is where FCi Federal comes into play. FCi Federal has been named as the vendor responsible for carrying out the second round of HIPAA audits this year.
“We are hard at work on the next phase, and I know you've heard that a lot, but it's coming," said OCR Director Jocelyn Samuels at a recent press conference in the District of Columbia. "Audits are really a critical compliance tool for us because they enable us to get out in front of potential industry problems before they result in a breach ... and they enable us to better tailor our guidance and our technical assistance to ensure that we're addressing the most common problems."
So, what steps should you take to prepare for the second round of HIPAA audits? Even if your practice is chosen for an audit, it's always a good idea to prepare for one. As the saying goes, hope for the best but prepare for the worst, holds true. For starters, you should familiarize yourself with the HIPAA Security, Privacy, and Breach Notification Rules, understanding the nuances of each. The Security Rule pertains to Electronics Protected Health Information (EPHI), while the Privacy Rule pertains to all forms of PHI. The Breach Notification Rule, as the name suggests, outlines what a covered entity should do in the event of a PHI/data breach.
It's also important that covered entities perform their own risk analysis, looking for potential HIPAA privacy violations and threats. Failure to do could result in your practice being slapped with a fine, such as the case involving Cancer Care Group.