Random HIPAA audits are permitted, but they often focus on large corporations. Nine health plans and clearinghouses have been chosen at random by HHS for Compliance Reviews as of March 2019.
Historically, HHS has chosen which healthcare institutions to audit by sending out questionnaires at random to those companies.
HIPAA audits were first carried out by the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) in 2014.
OCR carries out these routine audits of covered companies and business partners to make sure they abide with HIPAA security, privacy, and breach notification requirements.
The purpose of the audit is to guarantee that paper and electronic PHI is kept private, safe, and protected.
The OCR evaluates your organization’s security procedures, controls, and policies during the audit. The OCR audited 166 covered entities and 41 business associates between 2016 and 2017. Requests for papers and data are frequently the first step in an audit.
They might request data records, policies, guidelines, training materials, or other information. The OCR will need time to analyze all of this data and come to a decision once it has it in its possession.
If all the evidence points to your organization’s HIPAA compliance, the audit might be finished relatively fast. The healthcare organization will have the chance to respond to the OCR’s findings after the OCR completes an audit and provides a report.
Additionally, HIPAA mandates that business partners and covered entities do their own internal audits at least once a year.
Depending on whether there have been changes to technology, rules, procedures, etc., many major firms do internal audits twice a year or even quarterly.
What are HIPAA Audit Requirements?
Healthcare organizations are required by HIPAA to maintain the privacy, accuracy, and accessibility of protected health information (PHI). As a result, it’s important to keep an eye on and record PHI access.
Audit logs keep track of both authorized and unauthorized access to PHI, guaranteeing compliance with the bare minimum requirement.
Healthcare organizations are required by the HIPAA minimal necessary standard to only access PHI when it is necessary for the performance of their duties. Audit logs are used to determine each employee’s typical access patterns.
Administrators may quickly identify whether an employee is abusing their access privileges by defining access patterns for each employee. They can also quickly determine if someone else has improperly accessed data using a stolen employee’s login information.
The HIPAA audit log regulations stipulate that audit log records must be kept for six years. Healthcare companies must keep records for longer than six years, according to several state-specific retention rules. Healthcare organizations are required to follow a more stringent standard when a state law specifies tougher retention obligations.