Susan McAndrew, deputy director of the Office for Civil Rights (“OCR”), has announced that OCR has completed the first 20 audits mandated by the HITECH Act, although the covered entities audited have not yet received their final audit reports. The OIG has begun collecting data on the next wave of 25, with 70 more to be identified later in the year. This total, 115 covered entities—no business associates this year—has been scaled back from the 150 audits initially planned for.

She noted that among the specific criteria used to select particular candidates are whether the entity is public or private, the size of an entity, affiliation with other health care organizations, the type of entity and relationship to patient care, and past and present interaction with OCR concerning HIPAA enforcement and breach notification. OCR also considers geographic factors in the selection process.

Finally, she pointed out that OCR plans to publish an audit protocol on its website “in the near future” and that OCR has developed a specific audit protocol manual for conducting audits. OCR designed the protocol so that OCR can use it as the basis for its audit work in the future, regardless of how OCR conducts those audits.

A consultant who was at a client hospital for its audit stressed just what I have been stressing in my books, CD, DVD, blog, consulting, seminars, and other training: do a thorough, written, risk analysis and implement policies and procedures to ensure compliance. For more on this announcement, see Howard Anderson’s article from earlier today, “HIPAA Audits: A Progress Report.”

You may also be interested in reading my recent article published in the March 2012 issue of the Journal of AHIMA, “Keeping It Private: Staying Compliant with the HIPAA Privacy and Security Rules.” The Journal’s table of contents emphasizes how to prepare for an audit in a pull-out quote from what I said in the article: “If a covered entity implements a security measure without conducting a risk analysis, it is just guessing.”