Share this article on:
The countdown to the HIPAA compliance audits has begun. The HHS’ Office for Civil Rights has now implemented its new breach reporting portal which means the planning of the second round of the audits can begin in earnest. The long awaited compliance audits look set to take place in 2015 and all covered entities need to be prepared.
Background to the HIPAA Compliance Audits
The Department of Health and Human Services gave its Office for Civil Rights the role of enforcing the Health Insurance Portability and Accountability Act, with the Enforcement Rule giving the legislation teeth in 2006.
Organizations failing to comply with HIPAA Rules have since faced financial consequences if privacy and data security policies are not introduced to the standards demanded by the legislation.
Part of the OCRs role in enforcing HIPAA regulations is to conduct compliance audits. These were conducted between 2011 and 2012 and 115 organizations were audited.
The Omnibus Rule and Business Associates
The introduction of the HIPAA Omnibus Rule extended the coverage of HIPAA to include Business Associates (BAs) and allowed the OCR to hold them accountable for any breaches of HIPAA Rules. BAs can now be fined directly by the OCR for HIPAA violations, and they too will be included in the next round of compliance audits.
2015 HIPAA Audit Protocol
Jocelyn Samuels has not yet confirmed when the audits will commence, although OCR appears to be set for a late 2015 start. There is still a considerable amount of work left to do. Staff need to be recruited, auditors trained and the final audit protocol has still to be finalized; however the OCR has provided some details of what HIPAA-Covered Entities (CEs) can expect when the audits do commence.
The Selection Process
An entry was made in the federal register to allow the OCR to contact up to 1,200 organizations for screening purposes. A questionnaire will be sent to these organizations to determine their eligibility and suitability for an audit. The OCR will then select a geographically representative sample of CEs for audit. Large and small CEs, and their Business Associates, will be placed under the microscope. There are expected to be at least 400 audits of which 50 are expected to be on BAs.
The second phase of the compliance audits will have a much narrower focus and will look at specific areas of HIPAA compliance. The OCR has developed audit modules on the Privacy Rule, Security Rule and Breach Notification Rule. A CE can be selected for an audit on any one module, or a combination of all three.
Penalties for Non-compliance
The OCR does not always issue financial penalties for non-compliance with HIPAA Rules, and tends to only fine organizations for serious breaches of HIPAA regulations. There are other methods of dealing with HIPAA non-compliance and the OCR often chooses to work very closely with the organizations in question to rapidly improve privacy and security standards.
However, the number of fines issued by the OCR has increased significantly in recent years. Organizations have been given plenty of time to bring data privacy and security standards up to the required level and failures in these audits is likely to see fines issued for non-compliance. No fines were issued as a result of the pilot round of audits.
Organizations failing audits could face significant penalties if violations of HIPAA Rules are discovered. Are you prepared for the start of the audits? Would your organization pass an OCR inspection?