The Department of Health and Human Services' Office for Civil Rights (OCR) has been planning a new round of “desk audits,” and healthcare organizations have been advised to conduct a comprehensive risk analysis and to be prepared for these audits. The more you are in compliance, and can prove compliance, the better your chances of coming through an audit successfully. As has been mentioned before, meticulous records are key to HIPAA audit success.
Speaking in September at the HIMSS Privacy and Security Forum, OCR’s senior advisor for health information privacy, Linda Sanches, shared her thoughts on HIPAA audits with Healthcare IT News. To clarify, Sanches says that risk analysis should be done before an audit, not after:
“If you don’t do a periodic risk analysis, you won’t know where you stand,” Sanches noted.
In the event of a breach, Sanches explains that “the onus is on you to prove you had the proper systems in place. If you did a comprehensive risk analysis and took the necessary steps, that’s what you need to show us."
One of the benefits of Absolute Computrace is its foundational support for all activities related to Governance, Risk Management and Compliance (GRC) for the endpoint. With a persistent connection to each device, we are able to provide compliance reports and certificates in addition to security incident response and remediation. This means that, in the event of device theft, Absolute Computrace customers can remotely lock down devices and delete data, with an audit trail to prove that data has not been compromised. This is key to avoid data breach notification requirements and in providing this information easily and quickly to OCR.
For more on the current state of HIPAA and how it impacts healthcare organizations, we offer the following resources: