OCR 20 Audit Findings / Recommendations

Washington DC, Linda Sanches from the OCR presented findings from the first 20 audits of their pilot program to assess HIPAA privacy, security and breach notification performance. The remaining 95 audits will occur in 2012 and they have indicated that audits will continue in 2013. Some highlights of the slidedeck (draw your own conclussions).  This gives some insight into what they are looking at.

Audit Issues by Area:

• Conduct Risk Analysis (17)
• Grant Modify User Access (17)
• Incident Response (11)
• Contingency Planning (34)
• Media Reuse and Destruction (18)
• Encryption (10)
• User Activity Monitoring (46)
• Authenticatin/Integrity (19)
• Physical Access (9) 

OBSERVATIONS:

•  Policies and Procedures
•  Priority HIPAA Compliance Programs
•  Conduct of Risk Assessment
•  Managing third party risks

NEXT STEPS based on the reviews:

• Conduct a robust review & assessment
• Determine Lines of Business affected by HIPAA
• Map/Flow PHI movement within your organization, as well as flows to/from third parties
• Find all of your PHI
• See guidance available on OCR web site

The full slide deck from the presentation is in the attached link.
http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf?goback=%2Egde_2473393_member_124101464

More information about the Audit Program can be found here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html