Second round of HIPAA audits to begin in early 2016

The first round of HIPAA audits conducted by OCR in 2012 seem like a distant memory. With the threat of audits looming since fall 2014, organizations have had longer than expected to prepare for the phase 2 audits, in part due to the delays caused by slow web portal development and OCR resources being stretched by the investigation of numerous and significant data breaches.

With this in mind, HIPAA covered entities and business associates should have been investing in bringing data privacy and security safeguards up to the required standards. Failure to meet the standards may be seen as willful neglect, and heavy fines could be issued to those still found to be violating HIPAA regulations.

The exact start date for the commencement of the pre-audit has yet to be confirmed; however, the Director of the Department of Health and Human Services’ Office for Civil Rights confirmed the second phase of the HIPAA compliance audits will be commencing in early 2016, beginning with the pre-audit survey being sent out.

It appears that OCR will receive the information submitted by entities via the new web portal. The new web portal will allow OCR to move away from time-intensive on-site desk audits, streamlining the process when analysis of the data begins. On-site desk audits are still likely, but he submission of information via the web portal is designed to enable OCR to conduct the phase 2 audit far more efficiently.

OCR have faced criticism for delaying the audits from the the U.S. Department of Health and Human Services’ (HHS) Office of Inspector General (OIG). A report issued in September highlighted that OCR were too reactive regarding enforcement of HIPAA, when they should be tackling the issues more proactively. In addition to this, the report highlighted concerns that cases were not being handled correctly, with insufficient documentation and failure to check whether a covered entity had been investigated previously included in their findings. OIG’s primary corrective action recommendation was that OCR immediately fully implement a permanent audit program – and OCR responded quickly.

OCR have been overwhelmed with responding to and investigating complaints over the last three years, and this has undoubtedly slowed the implementation of an audit program that can proactively identify and assess covered entities’ possible noncompliance with the privacy standards.

OCR have a huge challenge ahead of them. Whereas the first audit focussed on the compliance of covered entities, OCR will now survey both covered entities and business associates to determine who will qualify for Phase 2 HIPAA audits.

For covered entities and business associates, the clock is ticking and organizations will need to be doing all they can to ensure that they meet the deadline for HIPAA compliance. If the results of the phase 1 audits and the high profile data breach cases are anything to go by, data security is likely to be the main focus of the audits, and OCR will undoubtedly be scrutinizing organizations abilities to meet the technical, physical and administrative safeguards outlined under the HIPAA security rule.