OCR to Commence Round 2 HIPAA Compliance Audits

The Office for Civil Rights of the Department of Health and Human Services is a step closer to commencing the second round of HIPAA compliance audits issuing a notice in the Federal Register announcing its intention to start a series 1,200 pre-audit surveys.

The OCR is authorized to conduct compliance audits under Section 13411 of the HITECH Act and intends to assess compliance with HIPAA Privacy, Security, and Breach Notification Rules.

The notice states that the OCR intends to survey 800 healthcare providers, clearing houses and health plans in addition to 400 of their business associates as part of the next round of compliance audits. Since the introduction of the Omnibus Rule, Business Associates can be held liable for HIPAA non-compliance issues and data breaches and the OCR wants to ensure that the new legislation is being followed.

OCR Deputy Director, Susan McAndrew, announced at the 2014 HIMSS Annual Conference on February 24 that the aim of the survey is to assess suitability for audit. Since the sample was taken at random, the OCR must first weed out organizations in its database which are no longer in business, and it must also confirm that the organization is the same as the OCRs database indicates. Additionally, the survey will determine the organizations size and suitability for audit by asking questions about recent patient visits, or in the case of healthcare insurance companies, the number of policies recently issued.

Since the primary focus of the audits is to ensure electronic health data is properly secured, organizations will also be assessed on the extent of digitalization of their health records. The OCR’s audits must also cover the full range of covered-entities and the sample must be geographically representative and the survey will ensure that it is able to meet these requirements, so not all surveyed entities will be selected for audit.

The next round of compliance audits is expected to have a much narrower focus than the pilot audits conducted between 2011 and 2012. Security risk assessments are likely to be a major focus as the pilot audits revealed numerous HIPAA violations in this area. Over two thirds of the organizations it surveyed during the pilot audits were found to have violated the HIPAA Security Rule by failing to conduct a risk analysis, which included 80% of the healthcare providers it audited. The secure disposal of patient health records will also be assessed along with the controls that have been implemented to prevent unauthorized access to PHI and personal identifiers.

The audits are expected to also assess HIPAA Privacy Rule compliance, including patient access rights to their health data and the use of NPPs, while policies and procedures covering breach notifications will also be a focus. Organizations are expected to be able to show documented proof that staff have received training on data privacy and security rules and that all policies and procedures have been updated following the introduction of the Omnibus Rule.

Although not specifically demanded by HIPAA, data encryption is an area that must be addressed by all covered entities. It is not mandatory to have all Protected Health Information encrypted, but if a covered entity chooses not to encrypt its data it must document a reason why it is deemed to be unnecessary and the other measures the entity has employed as an alternative security measure.

The audits are now a step closer, but the OCR has yet to confirm the number of organizations that will be audited or the protocol the audits will follow.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.