Written by Dianne Bourque
The HHS Office of Civil Rights has begun notifying the 150 covered entities chosen for its first round of audits under HITECH, and it has posted a sample audit notification letter.
If your organization receives one of these letters, immediate attention is critical. You may have as few as ten days to respond to documentation requests accompanying the audit notification. Requested documentation will likely include policies and procedures, forms, evidence of HIPAA privacy and security program implementation (such as documentation of completed training), and other documentation required by the HIPAA privacy rule and security standards. A site visit may occur as soon as thirty days following the audit notification letter. During a site visit, auditors will interview key personnel and observe your business operations to evaluate compliance.
Don’t wait until you receive an audit notification letter to evaluate your HIPAA compliance program. There is never a good time to have a gap in your program, but the stakes are even higher in the post-HITECH world.