2016 Start for Phase 2 of the OCR HIPAA Compliance Audits

The second phase of the OCR HIPAA compliance audits have been delayed for more than a year, but the wait is finally over, according to Deven McGraw.

Deven McGraw is the Deputy Director for Information Privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR). McGraw joined the OCR in 2014, but she has not given a news media interview until now. However, in an exclusive interview with the Security Media Group, McGraw gave some insight into OCR activities and said the OCR HIPAA compliance audits will recommence in 2016.

Speaking with HealthcareInfoSecurity.com’s Executive Editor – Marianne Kolbasuk McGee – McGraw talked about her role at the OCR, what she has achieved since she arrived, and the steep learning curve involved. She also explained that during her short time in the position, she has really had her eyes opened to the enormity of the tasks that the OCR is required to perform, as well as the limited resources it has available.

She may have joined hoping to address a number of issues quickly, but soon discovered that there are simply not enough staff members to tackle everything at once. Consequently she has been forced to prioritize, and has had to strategically deploy the resources she has available to address the most critical issues.

One of the biggest issues the OCR has is how to get so much work completed with severe budgetary restrictions. Those restrictions are the reason for the delay to the OCR HIPAA compliance audits. However, the delay is almost at an end, with OCR staff working hard to finalize the audit protocols. She explained that new members of staff have been appointed to help manage the audit program, which is progressing well.

McGraw did not give a start date for the next round of OCR HIPAA compliance audits, but did say that the OCR is expecting to seek public comments on the program ahead of a 2016 start date. She expects the commenting process to take place this year.

She gave some insight into what HIPAA-covered entities can expect when the audits finally start. The pilot phase of was very broad in scope, as the first round of OCR HIPAA compliance audits were designed to identify areas where covered entities struggled to achieve compliance.

Armed with that information, the OCR has been able to develop the second phase of the program and target key areas where HIPAA violations are most likely to be discovered. Because of this, the next phase will be much narrower in scope, only testing specific aspects of compliance.

The pilot phase involved full audits of covered entities with site visits; however phase 2 of the program will mostly consist of desk audits. Covered entities will be required to submit documentation to support their compliance efforts and prove they have adopted and understood the requirements of the Privacy, Security and Breach Notification Rules. Business Associates of covered entities will also be audited as part of phase 2.

McGraw has not ruled out site visits in the second phase of the OCR HIPAA compliance audits, but only a small number will be conducted. With such limited resources, it would not be possible to conduct nearly enough audits with the funding available. Site visits are prohibitively expensive.

Covered-entities should not get complacent and believe that they can hide HIPAA violations from OCR auditors if selected for a desk audit. While narrow in scope, the audits will really test covered entities and should identify HIPAA violations.

McGraw told the Security Media Group, “If entities are out there thinking that we are asleep at the wheel, they need to wake up because we are not asleep at the wheel” she went on to say, “Counting on not getting caught, counting on not getting audited…….that’s probably a risky strategy.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news