Share this article on:
Office for Civil Rights deputy director of health information privacy, Deven McGraw, has provided an update on the OCR’s planned HIPAA compliance audits, saying the revised protocol for the long awaited second round of compliance audits will be published next month.
Late last year, OCR Director Jocelyn Samuels announced that the next round of audits would be taking place in early 2016. With the announcement of the planned publishing of the audit protocol in April, the next round of audits could start in Q2, although this seems unlikely. Once the audit protocol has been published there will be a period allowed for public comments. Those comments will need to be assessed, and may require changes to be made to the audit protocol.
According to McGraw, the new protocol will be based on that used for the 2011/2012 round of audits, with amendments made to account for the changes to HIPAA following the introduction of the Omnibus Rule in 2013. Previously, OCR indicated the next round of compliance audits would be conducted in modules. A module would be developed to assess Privacy Rule compliance, a separate module would assess Security Rule compliance, and a third developed for the Breach Notification Rule. This would allow OCR to conduct assessments on any of the three aspects of HIPAA, or any combination thereof.
The latest announcement has not provided any further details on how the audits will be conducted, only that they will be much narrower in scope. McGraw said the remote desk-based audits would focus “on compliance with only a small subset of HIPAA requirements.”
A sample of covered entities has already been produced and contact information is now being checked. Those entities will be asked to produce a list of their business associates, and once their details have been verified, they will also be added to the audit list.
A geographically representative sample of those covered entities will then be selected for audit. The audits will be conducted on a broad range of covered entities, including healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities, including large organizations and smaller practices.
The audits will involve 200 desk audits and 10 to 25 full scale audits; the latter will include a site visit by OCR’s appointed auditors.
McGraw has not given any indication of when the official start date will be, only confirming that the next round will start “later this year”.
The first round of compliance audits took place in late 2011/early 2012 and revealed that many healthcare organizations were struggling to meet the minimum data security standards required by HIPAA. While no fines were issued for compliance failures uncovered by the auditors, covered entities that were found to have violated HIPAA Rules received assistance to bring their policies and procedures up to the required standard.
The second round of compliance audits was scheduled to start in 2014; however, the audit program suffered numerous delays. The OCR had been struggling with an incredibly challenging and heavy workload and was operating on limited resources. It was felt that before the audits could commence a number of changes were required at OCR to ease its workload and to ensure the labor-intensive audit process could run more smoothly.
A new web portal was desperately required to help OCR with the collection and collation of documentation. That was completed implemented in 2015. OCR has also appointed a new vendor to conduct the audits, Virginia-based FCi Federal, and key members of staff have also been appointed to assist with the audit process. The finalization of the audit protocol has taken some time, but McGraw confirmed that OCR is “on track” and expects to publish the protocol in April.
McGraw also confirmed that OCR will be resuming work on the accounting of disclosures final rule as well as a notice of proposed rulemaking for sharing some of the funds collected from covered entities under OCR’s enforcement program. Some of those funds will be shared with breach victims who have suffered harm as a result of the exposure of their PHI.