The HSS Office of Inspector General (OIG) offers a Compliance Resource Portal that establishes the “seven fundamental elements of an effective compliance program.” These elements are:
- Standards, Policies, and Procedures
- Compliance Program Administration
- Screening and Evaluation of Employees, Physicians, Vendors, and other Agents
- Communication, Education, and Training on Compliance Issues
- Monitoring, Auditing, and Internal Reporting Systems
- Discipline for Non‐Compliance
- Investigations and Remedial Measures
Desk audits are remote audits, where covered entities and business associates are asked to submit their documentation via the OCR’s secure web portal. Physical audits involve the OCR turning up at your workplace to inspect your HIPAA compliance provisions. They are often made in response to a lack of cooperation when an entity is asked to submit a desk audit, but also include the impromptu phase 3 on-site audits discussed above.
These are tough and bureaucratic and drive up the costs of aligning with the norm- yet still breaches happen. It appeared on ProtonMail blog and I believe they are going to make a major marketing push towards the enterprise sales pitch. I don’t endorse their service but this was an interesting low down from the policy perspective.