2015 HIPAA Compliance Audits: OCR Refuses to be Drawn

The 2015 HIPAA compliance audits are expected to take place, but the Office for Civil Rights has refused to be drawn on a date when the second round of compliance audits will commence.

OCR Unwilling to Give Timescale for the 2015 HIPAA Compliance Audits

The OCR had a presence at HIMSS 2015, and while some details were leaked about what the OCR has in store for covered-entities over the coming months, no details of the audits plans were released. While an announcement of the date of the audits was expected – HIMSS 2015 being an ideal setting for an announcement – the OCR chose to remain tight-lipped on its plans.

The first round of HIPAA compliance audits – the pilot phase – were completed some three years ago, with the second round originally scheduled for the fall of 2014. As the deadline approached the OCR announced that it would be putting the audits on hold to allow it time to develop a new web portal for reporting breaches which would also ensure the process of collecting documents for the audits runs smoothly.

Collating documentation on some 400+ covered entities is a major task, and one that is very labor intensive. With the OCR already struggling with the resources it has available, the web portal was deemed necessary to ease the administrative burden the OCR faces. Once the portal was up and running, the OCR announced a further delay as it was still in the process of finalizing the audit protocol.

A “compliance specialist – auditing” post has recently been advertised on the HHS website, indicating that there is some movement on the audit front. The senior auditing position requires a person who can exhibit leadership qualities and “plan and execute an audit program of covered entity and business associate compliance with the HIPAA privacy, security and breach notification rules.” Even if the position is filled in the coming weeks, it now looks unlikely that the OCR will be sufficiently prepared to start the next round of HIPAA audits before the fall.

In a session at the HIMSS 2015 conference, privacy attorney Adam Greene from law firm Davis Wright Tremaine, indicated that the audit delay was due to the departure of previous OCR head, Leon Rodriguez, last year. Greene said that his replacement, Jocelyn Samuels, needed a little time to find her feet. It was also suggested that the lack of resources was another likely reason for the delay.

The OCR was more open about its other plans. It was announced that it is in the process of finalizing new guidance material covering the Breach Notification Rule as well preparing new guidance to assist Business Associates become HIPAA-compliant.

Recent OCR Enforcement Activities Highlighted

Alessandra Swanson, OCR team leader from the Chicago division, attended the conference and hosted a session: “Cyber Security and the Current State of HIPAA Enforcement”. While she avoided the audit topic, she did speak about the actions that the OCR has taken in recent years and gave some insight into its enforcement actions.

The OCR has been criticized in the past for not issuing more financial penalties to organizations that fail to adhere to HIPAA Rules. She explained “Our goal is, and has always been to get entities into compliance,” she went on to say “I know that our enforcement cases get a lot of attention, but when you look at the number of enforcement cases versus those that are resolved with technical assistance and corrective actions, you’ll see that we always try to go the compliance route first.”We’re interested in getting everyone into compliance; we’re not out there trolling for enforcement cases.”

So for the time being, the 2015 HIPAA compliance audits are still on hold, which gives covered entities a little more time to get prepared. Which is just as well, because Greene for one believes that the second round compliance audits will “dwarf anything seen so far.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news