OCR Confirms Phase 2 HIPAA Compliance Audits to Commence Early 2016
The Director of the Department of Health and Human Services’ Office for Civil Rights, Jocelyn Samuels, has confirmed the second phase of the HIPAA compliance audits will be commencing in early 2016. No more delays are expected.
HIPAA-covered entities will soon have their compliance efforts put to the test and Business Associates will also not escape. They too will be assessed on compliance with the HIPAA Privacy, Security and Breach Notification Rules.
Samuels recently wrote to the HHS Inspector General following strong criticism received about the OCR’s enforcement activities in addition to inconsistencies enforcing HIPAA Rules. At present, the OCR relies heavily on reports of privacy violations from the general public and self-reporting of data breaches to identify HIPAA violations and to choose which entities to investigate.
The agency has yet to develop a permanent HIPAA-compliance audit program, even though such a program was much talked about early in Leon Rodriguez’s tenure as head of the OCR. According to a recent OIG report, released on Tuesday, “Without fully implementing such a program, [the] OCR cannot proactively identify covered entities that are noncompliant with the privacy standard.”
Last month, Deputy Director for Health Information Privacy at the OCR, Deven McGraw, gave her first news media interview in which she stated that the second phase of HIPAA compliance audits would commence in 2016. She did not give any indication of when those audits would take place. Samuels has now narrowed that down, although she fell short of providing an actual start date.
In the letter to the OIG she said, “[The] OCR is moving forward with planning for a permanent audit program. We will launch Phase 2 of our audit program in early 2016.”
As previously announced, the second phase of HIPAA compliance audits will differ from the pilot phase, which primarily involved site visits. This time around, more audits will be conducted, but a large percentage will be “desk reviews”. These are expected to consist of a document check, and will aim to identify whether the covered entities in question have understood and applied HIPAA Rules. The audits will test for some of the common compliance failures that were identified during the pilot phase, and from subsequent data breach investigations the agency has conducted.
Between now and the start of the next phase of audits, the OCR will be “updating the audit protocols [and] refining the pool of potential audit subjects.” How many audits will be conducted has yet to be confirmed. Previously the OCR has indicated it will be conducting around 400 audits, although that figure could well change. The number will likely be dictated by budgetary constraints. Those budgetary constraints are unlikely to ease over the coming months, so the actions taken against HIPAA violators identified in the audits may also be restricted.
One warning that came out of Samuels’s reply, is that when inspectors assess covered entities for non-compliance issues, it will not only be the current state of play that is assessed. The auditors will also look at how much has historically been done to become compliant with HIPAA Rules. Organizations that have only just become HIPAA compliant could well be held financially accountable for a lack of past efforts to secure data and protect the privacy of patients. Little can be done to correct historical failures now, but it is essential that effort is put in now.
HIPAA-covered entities have now had three years since the end of the pilot audits to bring data privacy and security safeguards up to the required standards. Current violations could therefore be seen as willful neglect, and heavy fines could be issued to those found to still be violating HIPAA regulations.