OCR HIPAA Compliance Audits to Commence in 2016

The new Deputy Director for Information Privacy at the Department of Health and Human Services’ Office for Civil Rights has been adjusting to life at the OCR since her appointment earlier this year, but until now she has not given an interview to the news media. However, she recently gave an exclusive interview to the Security Media Group, in which she cast some light on planned OCR activities, including the upcoming HIPAA compliance audits.

Deven McGraw Gives First News Media Interview


McGraw spoke with HealthcareInfoSecurity.com’s Executive Editor, Marianne Kolbasuk McGee, and was quizzed on OCR enforcement activities, current and future OCR initiatives, and was asked the question that is on everyone’s lips at the moment: When will the HIPAA compliance audits take place?

A Shortage of Resources has been McGraw’s Biggest Challenge


The program of random HIPAA audits was penciled in for 2014; however the sheer scale of the job has caused problems. Audits take a considerable amount of time and resources, something which the OCR lacks.

McGraw confirmed that the current problem with the OCR is not a lack of skilled staff. She said she has some great people working for her. The problem is she doesn’t have enough. She told SMG that this has probably been her biggest challenge.

A full staff of highly skilled personnel may be top of her wish list, but McGraw said that it is not possible to have everything, so she has had to make do with what she has available. With a workload as large as the OCR’s, it is not possible to do everything at once. She has had to be strategic with the resources available, and has prioritized tasks. McGraw told SMG, “It’s a big agenda… [with] lots of really exciting stuff”

OCR Compliance Audits to Recommence in 2016


One of those exciting initiatives is the HIPAA compliance audit program; a random series of audits of HIPAA-covered entities designed with two purposes. The audit program allows the OCR to gain invaluable feedback on aspects of HIPAA that are causing problems for covered entities. Armed with information, the OCR can develop new guidance to help healthcare providers, insurers and their business associates, introduce the necessary safeguards to keep Protected Health Information secure. The OCR is currently planning to issue guidance on the use of mobile devices and cloud services by healthcare providers, while further guidance will be issued on a number of different “factual scenarios” which are causing covered entities problems.

The second purpose of the audits is to ensure that covered entities are adhering to HIPAA rules. Those that do not will have to dig deep and pay for the lack of interest in data security and patient privacy. The OCR will be issuing fines to covered entities that blatantly disregard HIPAA Rules.

McGraw confirmed that the audit program is in the final stages of development, and at present the OCR is bringing in key members of staff, and has appointed a company to provide assistance with the audit program. Public comments will be sought, and it is hoped that process will take place by the end of the year/start of 2016.

McGraw said that the next round of audits will be smaller than the pilot in terms of scope and depth of assessment, but there will be more audits conducted second time around. The OCR will not be looking at everything, instead it will look at key areas of HIPAA Rules, and will conduct a policy check via its proposed desk audits. On site visits will be conducted in some instances, but the cost of full audits is prohibitively expensive.

However, covered entities that think they can delay bringing data security standards up to those required by HIPAA should think again. McGraw said “We investigate every breach of more than 500 records and we look at a lot of breaches under 500 records, and we respond to complaints that people have filed about HIPAA violations,” she went on to say, “If entities are out there thinking that we are asleep at the wheel, they need to wake up because we are not asleep at the wheel” she went on to say, “Counting on not getting caught, counting on not getting audited…….that’s probably a risky strategy”

The OCR Understands it is not possible to Prevent All Data Breaches


McGraw said that one of the biggest lessons she has learned is healthcare data is not immune to hacking. “It is not possible to get down to zero risk.”

There have been instances where hackers have gained access to healthcare data as a direct result of failures to secure systems to an appropriate standard; however, even with the best security defenses in place, cybercriminals will eventually gain access to data.

The OCR is not interested in penalizing all organizations that suffer a data breach, but as McGraw pointed out, “We still have an expectation that people put reasonable safeguards in place.”

Hackers are a very real threat, one of the biggest causes of data breaches is carelessness. Portable storage media are lost or stolen all too often, and in many cases the data stored on these devices is unencrypted. This is an area which is within the control of a covered entity, and efforts must be made to manage the risk and reduce careless mistakes.

The take home message is that a risk assessment must be conducted, and in order to avoid a financial penalty, “reasonable safeguards need to be deployed to match the risk.”

The full interview can be found here.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.