Onsite HIPAA Audits Could Be Delayed by a Year
In an interview at HIMSS17 with the Information Security Media Group, Deven McGraw, Deputy Director of Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights, explained that the Phase 2 HIPAA compliance audits are progressing, although the onsite audits of covered entities will be delayed.
It is currently unclear how much of a delay there will be. The onsite audits were to immediately follow the 211 desk audits that were conducted last year, although the decision has been taken to push back the onsite audits until the reports of the desk audits have been written and analyzed.
For the HIPAA compliance desk audits, covered entities and business associates of covered entities were sent notifications that they had been selected for audit. They were asked to supply a range of documentation on various aspects of their HIPAA compliance programs. The documentation has now been assessed and OCR is very close to issuing reports to the 166 covered entities that were audited. Those reports will be sent out in groups, with the first batch hopefully sent by the end of this week.
Covered entities will be provided with the opportunity to comment on the findings of the audits before the reports are finalized. Business associate audits are continuing, with some audit notifications only sent recently. In total, 45 business associates of covered entities were selected for audit.
The onsite audits will be conducted on a small selection of geographically representative covered entities. Last year, when OCR announced the start of the second phase of HIPAA compliance audits, the onsite audits were expected to be conducted in the first quarter of 2017. However, Deven McGraw said the onsite audits are to be delayed. It is hoped that the onsite audits will still take place this year, although they may “slip into 2018.”
The reason for the delay is it makes more sense to hold fire on the onsite audits until the results of the desk audits are assessed. No final decision has been made on the timescale, although it is possible that the final report for the public on the results of the desk audits may be issued before the onsite audits begin.
Input will also be sought from Tom Price, the new secretary for the Department of Health and Human Services. Secretary Price may have views on how the audits are conducted, which will need to be factored in before the audits commence. McGraw also explained that the desk audits have been an “enormous resource-intensive effort” and OCR does not want to “take on more than it can chew.”
However, while OCR is busy with the audit process, there will be no let up on OCR enforcement activities in 2017. The same pace of HIPAA enforcement activities will continue throughout the year.
The interview with Deven McGraw and further information on OCR’s plans for HIPAA enforcement in 2016 can be found on this link.