OCR Gives Updates at HIMSS15 but no Timescale for Compliance Audits

The Department of Health and Human Services’ Office for Civil Rights has not used the HIMSS 2015 conference as a podium to announce the start of the long awaited second round of HIPAA compliance audits; although a number of OCR officials have given an insight into what it has in store for 2015.

HIMSS 2015 is a time of learning for healthcare professionals. The protection of EHRs – and best practices and technology to adopt to protect them – is a major focus at this year’s conference. Cybersecurity is top of the agenda, and the recent high profile “mega-breaches” of recent months has got healthcare IT professionals looking for answers.

The words “data breach” may be enough to bring out a cold sweat at the conference, although there were plenty in attendance on Monday for Marion Jenkins’s session – Chief Strategy Officer at 3t Systems- which gave a brief history of HIPAA, which examined a decade of data breaches. Jenkins recounted the enforcement actions already made by the OCR since it took charge of policing HIPAA, and pointed out that it has increased its enforcement actions over the past few years.

Second Round Compliance Audits Still on Hold


On Tuesday, Adam Greene – a HIPAA expert and lawyer – took a session and was able to offer some insight into the upcoming audits, although he was not able to give an indication of when they are likely to start. He told attendees the next round of audits would “dwarf anything seen so far”.

The audits were originally scheduled for the fall of 2014, although it took the best part of 3 years since the completion of the pilot audits before the OCR believed it would be in a position to run the next round, however web portal updates and issues finalizing the protocol has put the audits back indefinitely.

The second round compliance audits will be based around the areas of non-compliance discovered by the OCR during the pilot phase. Covered entities (CEs) and their Business Associates will be selected at random for compliance audits on the Security Rule, Privacy Rule and the Breach Notification Rule.

When the audits start, each covered entity will be selected for a desk audit – an in depth document check – or a site visit. The audit protocol is still being developed, although it has previously been announced that the audits will be narrower in focus, and on either of the above rules under test. For example, a Business Associate could be selected for a Privacy Rule audit; a health plan for a Security Rule audit and a healthcare provider a Breach Notification Rule audit.

Greene indicated that the OCR will not be “handing out fines like speeding tickets” but did predict an increase in both the number of settlements that will be reached, in addition to an increase in settlement amounts.

OCR Gives Updates on its Plans for 2015

Yesterday, Alessandra Swanson, Team Leader at the OCR’s Chicago Office took a session on Cyber Security and the Current State of HIPAA Enforcement. She did not announce a timeframe for the start for the second round of the compliance audits and did not get drawn on the format that they would take.

It is the enforcement actions taken by the OCR – or lack of them – that has many people talking and the OCR has been criticized for not fining more CEs for data breaches that have been caused by lax security standards. Swanson explained that financial penalties are not the only solution.

She said, “I know that our enforcement cases get a lot of attention, but when you look at the number of enforcement cases versus those that are resolved with technical assistance and corrective actions, you’ll see that we always try to go the compliance route first.” She went on to say “We’re interested in getting everyone into compliance; we’re not out there trolling for enforcement cases.”

It is not just compliance audits that the Office for Civil Rights has to prepare for; it has a many roles and a number of projects and initiatives that it is attempting to put to action, in spite of an apparent shortage of resources.

Big Plans for the Office for Civil Rights in 2015

The OCR is now preparing new guidance to help covered entities – in particular Business Associates – bring their privacy and security controls up to the standards required by HIPAA. Business Associates were brought under HIPAA with the introduction of 2013s Omnibus Rule, and they must now sign Business Associate Agreements and agree to abide by HIPAA Rules or face the same sanctions that healthcare providers face if they are found to be non-compliant.

The OCR is expecting some 17,000 breach reports this year via its updated breach report portal, and it is required to investigate a number of these incidents and take action against CEs for HIPAA violations. The department has a number of active investigations running with healthcare provider’s health plans and Business Associates.

Further guidance is going to be issued on the Breach Notification Rule to ensure that CEs are aware of their responsibilities, while further guidance will be issued covering the use of PHI for marketing purposes. There is also the matter of further legislation changes which need to be ushered in. The update involves amendments to accommodate the Accounting of Disclosures Rule under the HITECH Act, a highly controversial change that has attracted a barrage of criticism.

There is clearly a lot going on and a great deal to be prepared, but for the time being, CEs have time to get their policies and procedures in order ahead of the start of the second round of compliance audits.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.