HIPAA Audits Are On The Way—Are You Ready?

Start Here With Our 5-Part Webinar Series

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has recently confirmed that new HIPAA audits are on the way. OCR Director Melanie Fontes Rainier made this statement to ISMG media on February 14: “OCR intends to initiate audits of HIPAA-regulated entities later this year. These audits can assist regulated entities in improving their HIPAA compliance and their protection of health information.”

Now is the time for regulated healthcare entities to get ahead of the next wave of audits and ensure your organization is in compliance with HIPAA.

In a new multi-part webinar series, Clearwater experts will give you the guidance needed to position your organization for success. This series provides crucial insight not just for organizations classified as covered entities under HIPAA but those classified as business associates (BAs) as well. BAs are especially on OCR’s radar with many of the largest data breaches of the past few years occurring with vendors who are managing electronic protected health information on behalf of a healthcare provider or health plan.

Part 1: What We Learned from the Last Round of HIPAA Audits

Between 2016 and 2017, in its most recent round of compliance audits, OCR reviewed a little over 200 covered entities and business associates through remote audits. A December 2020 report followed, revealing the shortcomings of covered entities and business associates chosen for reviews. During Part 1 of our series, two former OCR officials who are part of Clearwater’s Privacy and Compliance Services team will review the shortcomings spotlighted in the report, many of which are still common today, including the failure to conduct a security risk analysis and to give patients access to their records.

Our team will also provide an overview of OCR’s requirement to perform audits and the audit process and review the privacy, security, and breach specifications audited.

You can now access this material as a blog! Read here.

Presentation Materials 

Part 2: Keys to Implementing an OCR-Quality® Compliance Program

As the past round of audits revealed, implementing HIPAA compliance that meets OCR expectations is a challenge for many healthcare organizations. In part 2 of our series, two senior leaders of Clearwater’s Privacy and Compliance team will review the keys to implementing an OCR-Quality compliance program, drawing on our track record of 100% success advising clients through OCR investigations. Learn what it takes to meet HIPAA requirements in today’s healthcare environment.

You can also access this material as a blog! Read here.

Presentation Materials

Part 3: How to Conduct an OCR-Quality® Risk Analysis

Data shows that in nearly 90% of OCR enforcement actions involving electronic protected health information, organizations investigated are failing to meet the risk analysis requirement under the HIPAA Security Rule. During this session, Clearwater Chief Risk Officer Jon Moore provides a deep dive on the type of risk analysis that OCR expects for compliance with the HIPAA Security Rule. He discusses why it’s important to perform risk analysis at the information system level and the implications of not performing a comprehensive, enterprise-wide risk analysis. He also shares practical recommendations to help healthcare organizations evolve their approach to analyzing and responding to information security risk.

Presentation Materials

This material is now available in blog form! Read it here.

Part 4: Preparing for an OCR Audit or Investigation

With more than 700 reportable breaches occurring annually and HIPAA audits expected to be conducted randomly again, all regulated healthcare entities need to be prepared for OCR to arrive at their doorstep. In part 4 of our “Are You Ready?” series, former OCR officials member of Clearwater’s Privacy and Compliance Services team, Andrew Mahler and Omena Nwachukwu, discuss the best evidence to provide during an audit or investigation and dives deeper into the assessment of privacy and breach policies.

This information is also available as a blog—read it here

 Presentation Materials

Part 5: Navigating HIPAA, 405(d), and CPGs

In addition to the recent announcement of new HIPAA audits, HHS has introduced Cybersecurity Performance Goals (CPGs) intended to help healthcare organizations prioritize the implementation of high-impact cybersecurity practices.

The CPGs are informed by select references to the 405(d) Health Industry Cybersecurity Practices, the NIST Cybersecurity Framework, the NIST Special Publication 800-53rev5 Controls, and the 2023 Hospital Cyber Resiliency Landscape Analysis. While voluntary at this point, the goals may serve as inputs into future regulatory requirements, including changes to the HIPAA Security Rule, which HHS has stated it will begin the process of revising in the spring of 2024.

How should healthcare organizations think about CPGs relative to HIPAA, and what steps should they take to ensure their organization is aligned with industry requirements? In this final webinar of our series, Clearwater experts will break down the latest from HHS and help you chart an effective course.

This information is now available in blog form! Read it here. 

Presentation Materials