No Timetable for HIPAA Audits Provided by OCR Director

OCR Director Jocelyn Samuels has revealed the expected round of HIPAA audits are could still be some time off. In a Jan 13 media briefing the OCR Director refused to commit to a timescale for the next round of audits, which were originally expected to take place in the fall of 2014.

The delay has previously been attributed to issues with the implementation of new technology to allow audit documents to be collected and processed. No reason was given for the continued delay to the audit program, other than the fact that the OCR still has plenty of work still to do before the audits program can be launched.

The pilot audits first took place in 2012, with an initial 115 organizations assessed for compliance. KPMG conducted the audits and the procedures and protocols have needed to be revised to accommodate the changes made by the introduction of the Omnibus Final Rule in 2013.

The delay gives healthcare organizations some more time to conduct risk assessments, review and revise business associate agreements and make sure all HIPAA regulations are being followed.

Samuels confirmed that when the audits do recommence the OCR will include business associates, which are covered under the Omnibus Final Rule. A proportion of the expected audits will be conducted on business associates, which under the Omnibus Rule are liable for HIPAA violations and compliance issues. According to Samuels, the “OCR is committed to implementing an effective audit program, and audits will be an important compliance tool for OCR.” All covered entities were advised to regularly check the OCR website to keep up to date with its HIPAA enforcement program.

The audits are part of a number of enforcements tools used by the OCR to police HIPAA and ensure that the appropriate privacy and security measures are being correctly implemented throughout the healthcare industry. The OCR also responds to complaints of violations and conducts compliance reviews.

An example is now being made of organizations that fail to take measures to protect patient health data and suffer data breaches. According to Samuels, “These types of cases can include the lack of a comprehensive risk analysis and risk management practices, ignoring identified threats and hazards to systems containing electronic protected health information, and insufficient policies and procedures, and training of workforce members.” Substantial fines are being issued when violations are discovered.

This year the OCR is expecting to issue guidance covering cloud computing and how it relates to ePHI to clear confusion and allow healthcare providers to take advantage of the benefits without violating privacy and security rules.

Other plans include what is being referred to as the “minimum necessary” rule, relating to the amount of information that should be disclosed or used to complete a particular job or function. A Final Rule is expected to be issued covering the provision of information as part of the National Instant Criminal Background Check System, which enable law enforcement officers to enforce gun laws more effectively and prevent firearms sales to prohibited individuals.

The OCR is also expected to issue an advanced notice to allow the victims of data breaches to receive a share of the settlement reached with the violating party. Under HITECH Act the OCR is mandated to develop a method by which this can be achieved. The OCR has received recommendations from the HIT Policy Committee regarding its accounting of disclosures rulemaking issued in 2011 and further public input has been requested. Samuels confirmed that the matter is still under evaluation.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.