The time to prepare for an audit is before you have been selected. If you’ve already been selected, we can still get you ready.
现在是准备的时候了, knowing that you might be called on at some point to show evidence of compliance. Keep in mind that audits are NOT enforcement actions.
OCR审计的目标是什么?
OCR审计计划的既定目标是衡量各种覆盖实体和业务伙伴的总体HIPAA遵从性. 这些数据被HHS用于评估行业网络安全的整体健康状况,并确定哪些地方可能需要额外的推广或教育. If you are notified that your organization has been chosen for an OCR audit, the following guidelines will assist your response.
If You Are Chosen for an OCR Audit, Mobilize!
组建你的团队. 该团队应该包括您的隐私和安全官员以及您组织的合规官员(如果您有的话)。. 通知你的内部和/或外部法律顾问也是一个好主意,这样他们就可以随时了解OCR的所有请求和你向OCR提供的回复. Keep your counsel on standby to provide you with guidance if necessary.
及时完整地回应. If you are notified that you have been selected for an audit, you will also get instructions on how and when to reply. 有书面证据表明,如果OCR发现了重大的违规行为,不回应只会让事情变得更糟. Make sure you keep thorough records of all transactions during the audit process, and it’s a good idea to appoint one person to oversee all audit-related correspondence.
A few additional guidance points from the OCR include:
- Only requested data submitted on time will be assessed.
- All documentation must be current as of the date of the request.
- 如果你的工作是办公桌审计, 审核员将没有机会与您联系以澄清或要求提供额外信息, so it is critical that your documents adequately reflect the program.
- 不要提交多余的信息,因为这会增加审核员评估所需项目的难度.
- 未能提交请求的答复可能导致转介进行区域合规审查.
精心设计回答,不要羞于质疑你认为不准确的发现. Historically, the OCR has allowed organizations to respond to identified issues.
准备好用事实来证明你的立场,并解释你关于遵从性和安全策略决策的基本原理. There are many areas where HIPAA’s lack of specific direction works in your favor, 假设您可以演示符合所有标准的深思熟虑和合理的方法.
希望您的OCR审核能够顺利进行. 如果您在处理遵从性标准和构建安全程序方面做得很好, the report will require little or no follow-up. 如果没有,您可能会受到自愿合规活动或更深入的合规审查的影响.
识别重大问题的合规性审查可能需要额外的纠正措施或导致解决协议. 在这些情况下, 最好聘请精通OCR工作的律师和顾问.
If your OCR audit is part of the ongoing OCR audit program, 请注意,随机审计的目的是衡量更大群体的遵从性. 不只是你. OCR负责为组织提供合规策略的教育和装备, 这项任务的一部分必然包括一定数量的审计,以找出组织的执行情况.