HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Onsite HIPAA Audits Could Be Delayed by a Year

In an interview at HIMSS17 with the Information Security Media Group, Deven McGraw, Deputy Director of Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights, explained that the Phase 2 HIPAA compliance audits are progressing, although the onsite audits of covered entities will be delayed.

It is currently unclear how much of a delay there will be. The onsite audits were to immediately follow the 211 desk audits that were conducted last year, although the decision has been taken to push back the onsite audits until the reports of the desk audits have been written and analyzed.

For the HIPAA compliance desk audits, covered entities and business associates of covered entities were sent notifications that they had been selected for audit. They were asked to supply a range of documentation on various aspects of their HIPAA compliance programs. The documentation has now been assessed and OCR is very close to issuing reports to the 166 covered entities that were audited. Those reports will be sent out in groups, with the first batch hopefully sent by the end of this week.

Covered entities will be provided with the opportunity to comment on the findings of the audits before the reports are finalized. Business associate audits are continuing, with some audit notifications only sent recently. In total, 45 business associates of covered entities were selected for audit.

Please see the HIPAA Journal Privacy Policy

The onsite audits will be conducted on a small selection of geographically representative covered entities. Last year, when OCR announced the start of the second phase of HIPAA compliance audits, the onsite audits were expected to be conducted in the first quarter of 2017. However, Deven McGraw said the onsite audits are to be delayed. It is hoped that the onsite audits will still take place this year, although they may “slip into 2018.”

The reason for the delay is it makes more sense to hold fire on the onsite audits until the results of the desk audits are assessed. No final decision has been made on the timescale, although it is possible that the final report for the public on the results of the desk audits may be issued before the onsite audits begin.

Input will also be sought from Tom Price, the new secretary for the Department of Health and Human Services. Secretary Price may have views on how the audits are conducted, which will need to be factored in before the audits commence. McGraw also explained that the desk audits have been an “enormous resource-intensive effort” and OCR does not want to “take on more than it can chew.”

However, while OCR is busy with the audit process, there will be no let up on OCR enforcement activities in 2017. The same pace of HIPAA enforcement activities will continue throughout the year.

The interview with Deven McGraw and further information on OCR’s plans for HIPAA enforcement in 2016 can be found on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.