At Immersive, we approach each HIPAA Security and/or Privacy project as if we were preparing you for an OCR or OIG audit so that your organization is as “enforcement-ready” as you can be.
Bottom line is this. If you are telling your leadership team and Board that you are meeting your HIPAA compliance and/or MU attestation obligations, make sure that you are. But take it one step further, make sure that you are “enforcement ready” as well. You see, in this era of heightened enforcement, the stakes are simply too high to leave things to chance. And, it is really not that much more intensive or difficult to do these reviews and analysis with enforcement in mind anyway.
The Office for Civil Rights (OCR) continues to message to the industry that the compliance questionnaires that will be sent to roughly 850 Covered Entities (CEs) to kick off Phase 2 of the HIPAA Privacy, Security, and Breach Notification Audit Program are forthcoming “shortly.”
If your organization is “fortunate” enough to receive one of these questionnaires, the way you respond could be the difference between being selected for audit or not. The Phase 2 Audit Program lifecycle starts with this questionnaire and may lead to a documentation-based desk audit, or as announced by OCR’s Iliana Peters at the HIMSS Privacy and Security Forum in June, may also lead to on-site audit surveys as well.
If you know the philosophies of the members of our data protection team or track us on social media, you will know that we do not believe that compliance translates to or ensures good privacy and security practices and programs. However, some healthcare organizations and consultancies continue to pursue security through compliance. While compliance pursuits may serve to get your annual risk analysis and program reviews funded, your pursuit should not be compliance, rather, meaningful privacy and security programs.
Be looking for upcoming webinar invitations where we are going to tackle the topics of “correct” risk analysis and OCR audit readiness. Plan to join us. We’d love to you attend and contribute your feedback. Our events are always free and never salesy!