The Office for Civil Rights’ onsite HIPAA compliance audits that were scheduled to take place in the first quarter of 2017 are to be delayed, according to OCR’s Deputy Director of Health Information Privacy, Deven McGraw.
In an interview at HIMSS17, McGraw explained to Information Security Media Group that the decision to delay the onsite HIPAA compliance audits was taken to allow OCR time to process the reports from the desk audits.
166 desk audits of covered entities took place last year. Those audits involved a review of covered entities’ HIPAA documentation. All information has now been collected, collated, and assessed and OCR is expecting to start notifying covered entities of the findings of the audits later this week/next week.
The process of conducting desk audits of business associates of covered entities is well underway. While the desk audits are progressing, a number of business associates are still in the process of uploading their documentation. 45 business associates are being audited during phase 2 of the HIPAA compliance audits.
OCR has brought in a contractor to assist with the audits, but even so, the amount of work involved is considerable. McGraw told Information Security Media Group that the desk audits have required an “enormous resource-intensive effort.”
OCR works with limited resources, which have been stretched by the second phase of HIPAA compliance audits. A delay to the onsite HIPAA compliance audits will give OCR some breathing space and will allow the agency to fully assess the results of the audits before the more through onsite audits take place.
The decision makes a great deal of sense. Only after the desk audits have been analysed will OCR know which aspects of HIPAA Rules are proving to be the most problematic for covered entities. The onsite HIPAA compliance audits can then be tailored accordingly. OCR also wants to obtain input from the new secretary for the Department of Health and Human Services, Tom Price. Secretary Price may have views on how the audits should be conducted, and the delay will allow OCR to factor in any suggested changes.
It is not known how long the onsite audits will be delayed, although Deven McGraw says they certainly will not take place in the first quarter of 2017. Realistically, it may be the end of the year before the onsite compliance audits commence. McGraw says they may ‘slip into 2018’.
While the onsite compliance audits will be delayed, HIPAA enforcement activities will be continuing at the same pace as we saw in 2016. Already there has been one CMP and three HIPAA settlements announced. We can expect more covered entities to be penalized for systemic HIPAA violations throughout the course of 2017.