HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Jocelyn Samuels Gives Update on OCR Compliance Audits

office-for-civil-rights-1Since the announcement that the second phase of compliance audits would be delayed, the Department of Health and Human Services’ Office for Civil Rights has remained tight-lipped over timescales.

Now, a year on from the original proposed start date, many expected OCR Director, Jocelyn Samuels, to give a timescale for the HIPAA audit program at the Safeguarding Health Information: Building Assurance through HIPAA Security HIPAA Security Conference in Washington this month.

Samuels gave a keynote address at the National Institute of Standards and Technology (NIST) and Office for Civil Rights (OCR) hosted conference, and while she did not provide a date or a timeline for the compliance audits, she did indicate the audits are now very close to becoming a reality.

She explained that the OCR has many roles, with compliance audits a part of its enforcement activities.Audits are really a critical compliance tool for us because they enable us to get out in front of potential industry problems before they result in a breach … and they enable us to better tailor our guidance and our technical assistance to ensure that we’re addressing the most common problems.”

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Laying the Foundations for a Permanent Audit Program


The first phase of compliance audits was conducted in late 2011/early 2012. In the following months there was talk about the next phase starting in the fall of 2014; however as that date drew closer the OCR was forced to delay.

The OCR has been under considerable pressure in recent years. The agency has an enormous workload and has been struggling with a lack of funding. With resources stretched, the OCR has had to work hard at improving efficiency, and doing more with the resources that it does have.

Part of that process involved the implementation of a new and more efficient data breach portal. Covered entities are now able to file breach reports more easily, and the arduous process of data collection has been streamlined; a necessity ahead of the next round of audits.

Since the pilot phase was completed, the OCR has been laying the foundations for a permanent audit program; a process that appears to be almost complete. New members of staff have been brought in and the OCR has been enforcing HIPAA rules with more vigor; issuing financial penalties to organizations that fail to comply with HIPAA regulations. According to Samuels, “We are hard at work on the next phase, and I know you’ve heard that a lot, but it’s coming,”

Update on OCR Compliance Audits

The pilot audits identified key aspects of HIPAA Rules that covered entities were struggling to comply with, and that information has been used to develop a new protocol for the next phase of audits. The OCR previously announced that the new protocol would include audit modules covering the Security Rule, Privacy Rule and Breach Notification Rules, which could be combined as required. A full compliance audit would consist of all three.

Samuels gave an update on the OCR compliance audit program and confirmed that the audit protocol has yet to be finalized, but said it would be published shortly. The protocol can then be used by covered entities, whether selected for audit or not, to perform their own analysis of security vulnerabilities.

Second Round of Compliance Audits to be Mostly Desk Based


The next round of audits were scheduled to involve both desk audits and site visits. Onsite visits involve more in depth auditing of HIPAA policies and procedures, with auditors wanting to see evidence of HIPAA in action. The desk audits are expected to consist primarily of a HIPAA documentation check. The total number of compliance audits was not announced by Samuels, but she did say that while some site visits would take place, the majority of healthcare organizations would be selected for a desk audit.

The process of selection for audits has already begun. Pre-audit screening surveys were sent earlier this year, and the OCR has now collected the required information and is in the process of verifying contact information.

New Vendor Appointed to Conduct Second Round HIPAA Compliance Audits


The pilot phase of the HIPAA–compliance audits was contracted out to KPMG, and while the OCR was understood to be taking on the task of conducting audits itself, the decision has been taken to appoint a vendor – Virginia-based FCi Federal – to conduct the compliance audits. This will ensure that the OCR’s already stretched resources are not stretched too far.

New OCR Guidance to be Issued for Patients and Cloud Service Providers


Samuels announced a number of initiatives that will be undertaken by the OCR to help organizations, covered entities and patients better understand HIPAA requirements. The OCR will be developing new guidance for providers of cloud services, as well as to cover the use of cloud technology by HIPAA-covered entities. Patients too will be given advice on HIPAA Rules regarding the sharing of data. The OCR plans to issue guidance to patients about their rights of access to their healthcare data, and covered entities given new guidance on their obligations to protect patient privacy, in particular, covering data sharing under Obama’s Precision Medicine Initiative.

The OCR is also planning on opening up a dialogue with developers of emerging technologies to allow them to get answers to their questions and find out about their obligations under HIPAA.

Website Update Expected by December


The Department of Health and Human Services is in the process of redeveloping its website, with many areas already redesigned and relaunched. The OCR’s section of the HHS website is also due for an overhaul. The OCR’s breach portal has already been updated, with a full redesign scheduled to be completed by December this year, according to Samuels.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.