The Office for Civil Rights (OCR) recently announced that it will be sending surveys to approximately 1,200 organizations in preparation for conducting HIPAA audits. The HIPAA audits are mandated by the HITECH Act.
According to the OCR, the surveys will be sent to about 800 covered entities and 400 business associates to obtain information to confirm whether the organizations are appropriate for an audit. The survey will request information such as number of patients served, revenue, and locations. This will be the first time that the OCR has audited business associates. In 2012, the OCR conducted a pilot audit program of 115 covered entitles. The OCR hired a contractor to perform the audits. The OCR is indicating that it will conduct the upcoming audits with its own staff. According to the OCR, about two thirds of covered entities audited in 2012 failed to conduct appropriate security risk assessments.
It is anticipated that the new round of audits will include review of compliance with the security risk assessment as well as encryption.