Second Round of HIPAA Audits are to be Delayed

The Department of Health and Human Services’ Office for Civil Rights has announced that the second round of HIPAA audits are to be delayed in order for a new breach reporting web portal to be implemented.

The intention is to streamline the document collation processes to cut back on unnecessary paperwork – and paper chasing – ahead of the next round of HIPAA compliance audits.

Announcing that the second round of HIPAA audits are to be delayed, Linda Sanches – an OCR senior adviser – said: “We recently had an opportunity to update the technology we’re using, giving us capabilities that we just didn’t have access to before.”

Auditing healthcare organizations on HIPAA Rules requires a considerable amount of documentation to be provided by covered entities (CEs), and this needs to be collated and checked by auditors. KPMG conducted the pilot phase of audits, although second time around it will be the OCR staff who will take on that responsibility. The second round HIPAA audits are also expected to involve a much greater number of organizations so there was an urgent need to update the web portal.

Since the pilot audits were conducted in 2011-2013 we have seen the introduction of the Omnibus Rule, which requires Business Associates to adopt HIPAA Rules. Business Associate HIPAA audits will therefore need to be conducted, in addition assessments on a representative sample of healthcare providers, health plans and healthcare clearinghouses. The pilot phase of compliance audits was conducted on 115 CEs. The second round HIPPA audit program is expected to involve 400 CEs and 200 Business Associate HIPAA audits.

What to Expect in 2015

The OCR has not provided a firm date for the start of the HIPAA auditing, although it is expected to take place at some point in 2015, most likely in the fall. Before compliance is assessed, the OCR must first select its sample of CEs. These need to represent the different types or organizations covered under HIPAA Rules.

In February of this year, the OCR submitted a notice in the federal register in order for it to contact up to 1,200 CEs to allow it to assess those organizations for their suitability for an audit. While a selection of healthcare providers, insurers, clearing houses and Business Associates must be audited, the sample also needs to be geographically representative and include large and small CEs.

Format of the Second Round HIPAA Audits

Although the second round of HIPAA audits are to be delayed, the format of the audits is already known.  There are different aspects of HIPAA regulations that the OCR wishes to test.

There are the three amendments to HIPAA – The Privacy Rule, Security Rule and Breach Notification Rule – which were examined in the broad pilot audits. The pilot phase identified a number of areas where CEs were failing to meet the minimum standards laid down in the amendments.

One of the aims of the pilot phase was to determine which aspects of the legislation were proving to be the most problematic for CEs. In the second round, the OCR will want to test these common areas of non-compliance. The OCR has yet to finalize its audit protocol as the second round will take a different format to the pilot.

Instead of site-visits and inspections for all selected CEs, some of the assessments will be conducted remotely and are expected to consist of a full document check. If a site-visit is scheduled, documentation will need to be provided, but the OCR auditors will also want to see evidence of HIPAA in action.

Instead of an inspection of all documentation, policies and procedures, the auditors will only want to see one aspect of HIPAA. The audits are going to be split into modules on the Privacy Rule, Security Rule and Breach Notification Rule. While most organizations will be required to undergo an audit on one module, they may be selected for a combination, or even a full compliance audit consisting of all three.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of