HIPAA Audits to Recommence in 2015
Following on from a series of pilot HIPAA audits, the HHS Office for Civil Rights (OCR) is planning a second round of random audits to ensure healthcare organizations are fully compliant with current HIPAA regulations. The next round of audits will also carry severe financial penalties for any violations uncovered.
The next round of HIPAA audits was planned to start in October 2014, although the date has now been pushed back until 2015. It was announced at the San Diego American Health Information Management Association (AHIMA) annual convention that a round of 350 audits would be conducted on healthcare organizations, with a further 50 audits to be conducted on business associates to ensure compliance. Insurers and clearinghouses will also be subjected to audits in 2015.
The healthcare organizations due to be audited have already been selected, although entities have also been selected to ensure better coverage across the whole of the United States and to ensure that a good diversity of entities are assessed for HIPAA compliance. This only gives healthcare organisations a few more months to find pager replacements that are HIPAA compliant.
The delay to the audits is believed to be largely due to issues with the OCR website which is currently being updated to be more user friendly. Subjects selected for audit will be required to use the system to download and print out documents.
Since the OCR started its audit program it has collected $26 million from the financial penalties it imposed on organizations which breached HIPAA rules, and during the past 6 years has issued 23 settlement agreements ranging from $125,000 to $4.5 million, depending on the nature of the violation and damage caused.
While large organizations, hospitals and healthcare centers are to be included in the audits, small healthcare companies will not escape scrutiny on procedures and policies covering data security and privacy. Even individuals are not exempt from the new audits.
The message given by the OCR is clear. Every organization and individual covered by HIPAA regulations must ensure full compliance with the legislation and recent amendments. Risk assessments must be conducted and emergency response procedures defined and implemented.
While the audits will assess the procedures and technology used to prevent unauthorized access to patient data, organizations will also be assessed on how patient access to PHI is handled and whether any blocks to patient access rights still exist.