OCR Seeks Feedback to Improve HIPAA Audit Program
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is conducting a HIPAA Audit Review Survey and is seeking feedback from entities that were subjects of HIPAA compliance audits to gather information to improve future audit programs.
Between 2016 and 2017, OCR conducted its second phase of HIPAA compliance audits. The desk-based audit program involves documentation requests on specific aspects of the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule. The audits revealed which elements of the HIPAA Rules were proving problematic for HIPAA-covered entities and their business associates.
The audit review survey is being conducted to gather information about the effect of the audits on the audited entities and their opinions on the audit process. The aim is to determine the efficacy of the audit program in assessing the efforts made by HIPAA-covered entities and their business associates to comply with the HIPAA Rules and measure the effect of the audits on covered entities’ and business associates’ subsequent actions to comply with HIPAA.
The survey will provide the audited entities with the opportunity to comment on the usefulness of HHS HIPAA guidance and communications, how easy the online submission portal was to use when uploading documentation requested by auditors, and whether the communicated findings of the audits and the audits themselves actually helped to improve entity compliance.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
OCR is also seeking feedback on the burden that the audits placed on covered entities and business associates regarding the requested documentation and responses to audit-related requests, including the impact on day-to-day business operations. Questionnaires will consist of 39 questions and will be sent to Privacy and Security Officers at 166 HIPAA-covered entities and 41 business associates. OCR says the information collected will be used to improve future HIPAA compliance audits and the announcement of the survey could indicate OCR is planning on conducting another round of audits or even initiating a long overdue permanent audit program.
The HITECH Act requires the HHS to conduct annual audits of HIPAA-regulated entities to assess compliance with the HIPAA Rules, and while there has been talk over the years about a permanent audit program, it has not yet materialized. Instead, OCR conducted its first round of HIPAA audits in 2011 and then waited until 2016/2017 to conduct the next phase of audits. OCR has made it clear that it intends to comply with this requirement of the HITECH Act but the department is faced with a chronic funding shortage and there are no signs that Congress will be providing any extra cash.
OCR does have the option of imposing more civil monetary penalties for HIPAA violations and could use the proceeds to pay for an audit program; however, a reinterpretation of the language of the HITECH saw the penalty amounts reduced and that has drastically reduced the funds OCR has generated from enforcement actions. OCR is petitioning Congress to increase the maximum civil monetary penalties for HIPAA violations which will help to solve OCR’s funding problems, and this is more likely than the HHS being given a major funding increase.
Conducting investigations is resource-intensive and it can take years before financial penalties can be imposed or cases settled. The latest enforcement action by OCR took 8 years to resolve. OCR has undergone a restructuring to improve efficiency by making better use of its resources and that may have given OCR some more bandwidth to start dealing with the backlog of investigations of data breaches, which could result in more enforcement actions. Whether that will be sufficient to fund an expensive permanent audit program remains to be seen, but it is clear that such a program is needed. The last round of HIPAA audits uncovered widespread noncompliance with the HIPAA Rules and even though OCR has increased enforcement activity in recent years, the chances of being investigated or audited and having to pay a financial penalty is very low. As such, when there are competing priorities for resources, many HIPAA-regulated entities put HIPAA compliance on the back burner.
