This has become more evident recently after OCR announced the upcoming expansion of HIPAA desk audits. We have recently heard of two healthcare organizations in Middle and East Tennessee receiving letters of notification for desk audits - it's coming! The best thing you as a covered entity or business associate can do is to do everything possible to get ready. Below is some guidance from the website HealthIT Security on being prepared for a Desk Audit:
http://healthitsecurity.com/features/what-entities-need-to-know-about-upcoming-ocr-hipaa-audits
For our customers we strongly recommend you have conversations with your leadership, your physicians and your vCIO on being prepared. It's important to understand the gaps that exist, and have an addressable plan that you are following. At a minimum OCR is going to want to see that you aren't sticking your head in the sand and hoping that it all goes away.