Share this article on:
The Department of Health and Human Services’ Office for Civil Rights is tasked with enforcing HIPAA Rules on data privacy, security and breach notifications. As part of this duty it is required to conduct compliance audits on HIPAA-Covered Entities (CEs) to ensure the legislation is being followed and the Privacy and Security Rules are put into practice.
The task is a difficult one. It is hugely labor intensive, involves the collection and collation of mountains of paperwork and an army of staff to assess compliance. The job requires highly trained personnel, which the OCR has; unfortunately it just does not have enough of them.
The role of the OCR is considerable, with the department required to ensure compliance with a number of legislative acts, in addition to HIPAA. The huge workload, which also includes the issuing of guidance as well as taking enforcement actions and conducting audits, places a considerable strain on the agency’s 650-strong workforce of attorneys, auditors and staff.
Budgetary constraints are a long running problem with the department, and while an increase in funding has been promised, budget freezes have forced the OCR to make improvements, cut back on inefficiencies and get more work out of the staff it has.
Budget problems and a lack of resources have been implicated in the delay to the second phase of HIPAA compliance audits. Three years after the pilot phase was completed, the second round failed to take place.
Jocelyn Samuels, Director of the OCR, has remained tight-lipped about the audits and has refused to be drawn on the start date, although the department has confirmed that the process has started. Pre-audit screening surveys have now been dispatched to covered entities to help with the selection process.
A considerable amount of groundwork has also been performed. The new web portal streamlines the collection of information on data breaches, but also the collection of documentation for the audits. This change was necessary, as the second phase of compliance audits are expected to be extensive. The OCR has previously hinted that this round of audits will be like nothing seen before, in terms of the scale of the operation.
OCRs Role Confirmed and Constraints Highlighted
The OCR issues fines and takes enforcement actions against violators of HIPAA, but the agency is more concerned with ensuring compliance with HIPAA to prevent data breaches from occurring.
Samuels was a keynote speaker at the District of Columbia Health Privacy Summit on Wednesday, and spoke of the OCRs role. “We’re not in the business of certifying–like the Good Housekeeping seal.” Samuels also confirmed that the OCR has a straightforward mission. “We interpret and enforce the standards of the law.”
At any cybersecurity gathering, Samuels is guaranteed to be asked about the upcoming HIPAA audits, and this occasion was no exception. Those attendees in hope of an insight into the fast approaching HIPAA compliance audits were not provided with a date, but were told that the audit plan has been formed and in spite of budgetary constraints, progress is being made.
“We are really trying to streamline our operations and institute new reforms that will enable us to use the resources that we do have to [our] best advantage. We’re trying to do more with less,” she said.
The plan appears to involve an autumn start to the compliance audits; however the lack of an announced timeframe and confirmation of tight budget restrictions, could indicate that a 2015 start to the compliance audits is far from certain.