OCR Phase 2 Desk Audits Were Just Sent Out
On March 21st 2016 letters went out from Office for Civil Rights (OCR) to hundreds of Covered Entities and Business Associates across the country. This is phase 2 of auditing as required of OCR by the HIPAA HITECH Act. Look through your e-mail and spam filters for this letter. If you have received an e-mail from OCR that is asking you to verify contact information, you have 10 days to reply to this request. Do not ignore it. OCR was very specific at this week’s National HIPAA Conference in Washington DC, that ignoring this request will only expedite your level of attention by the organization. I would also caution many of you to call OCR and verify the legitimacy of the e-mail before clicking on any link within an e-mail. Bad guys could use this event window to launch a very targeted phishing e-mail that pretends to be OCR. For F1 medical clients, I will recommend to look through your e-mail and spam filters. If you did not receive this request, then breathe a little easy for the next 6 months. If you did receive this e-mail, then contact F1 immediately. Don’t panic. We can help guide you through what to do next. You will need to craft a reply to the letter that will be available to the public so an attorney should review this response as well.
The National HIPAA Summit was all a buzz about this topic and many members had received these audits the next day. In addition to this announcement, the summit focused on data security, breach notification rules and privacy guidelines. I found the incident response portions the most interesting and enjoyed learning from others real life events.
I don’t expect many of you to get this, but I do expect several will. If you haven’t received it by now, then you probably missed this wave of letters.