As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates.
The 2016 audit process begins with verification of an entity’s address and contact information. An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner. OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.
If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool. Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.
Communications from OCR will be sent via email and may be incorrectly classified as spam by your email system. So, it’s important employees check their junk / spam folders for emails from OCR. If you do find OCR email in your junk or spam folders, the sender should be added to your safe sender’s list (also known as “white listing”).
If your organization has a centralized email system, this can usually be applied globally. Otherwise, each user may need to update their own white list. Check your IT support contact if you need help.
We hope you find this information useful – please be on the look out for the next Artemis Healthcare IT Alert…
VP, Artemis IT