Healthcare and Data Privacy Partner Betsy Hodge tells Healthcare Risk Management in a new article that, with HIPAA audits resuming, organizations must act now to ensure compliance. She stresses that both covered entities and business associates – including non-healthcare businesses sponsoring employee health plans – are at risk of audits. Hodge warns that many organizations underestimate their responsibilities, especially when it comes to conducting the risk analysis required by the HIPAA Security Rule, and urges them to review and strengthen their security policies.

“It’s not enough to describe what your organization does. You must show OCR your work,” Hodge says. “Also, while information provided by those being audited won’t result in a HIPAA enforcement action, where an audit reveals serious compliance issues, OCR may open a subsequent compliance review.”

She advises proactive preparation: updating documentation, conducting regular risk assessments, and training staff on HIPAA requirements.