Second Round of HIPAA Compliance Audits Delayed

The second round of HIPAA compliance audits appear to be on permanent hold. Office for Civil Rights Director, Jocelyn Samuels, explained at the recent 23rd National HIPAA Summit in Washington that the OCR Audit Protocol has yet to be finalized, according to a recent article in Lexicology.

Second Round of HIPAA Compliance Audits Delayed Until Web Portal is Implemented

The first round of HIPAA compliance audits was a pilot phase and was used to generally assess compliance across the healthcare industry. The aim was to determine which aspects of HIPAA were either not being implemented or were causing the most problems.  Those audits were completed in 2012, and the second round of HIPAA compliance audits were penciled in for the fall of 2014.

However, as that provisional deadline approached, the OCR compliance audits were delayed. The burden placed on the OCR is considerable at the best of times, but when audits need to be conducted the workload will become unmanageable given the department’s limited resources. A new web portal was required to streamline the data collection process to allow auditors to work more efficiently.

Now that the portal has been implemented there is another delay. While the outline of the proposed audits was announced last year, the final OCR audit protocol has not been decided. The audits must tackle the areas of non-compliance discovered during the pilot, and should also incorporate the Omnibus Rule of 2013.

Desk assessments are being used along with site visits, and it will be auditors from the Office for Civil Rights conducting the compliance reviews this time around. The fieldwork will not be subcontracted for the second round of HIPAA compliance audits. This means staff will need to be trained, procedures developed and desks cleared before they can start.  The audits may not be happening any time soon.

The OCR Explains the HIPAA Audit Process

The HIPAA Audit process for the second round will involve assessments based on modules. There will be a module for each aspect of HIPAA to be assessed: The Privacy Rule, Security Rule and Breach Notification Rule. When an organization is selected for audit they will be able to be given a highly targeted assessment on any one of these modules, or a combination if a more thorough assessment is required.

No timeframe has been set for the second round, but Samuels did advise all covered entities to keep checking the HHS website on a regular basis. When there is further news on the second round it will be posted there.

Healthcare providers, healthcare clearinghouses and insurance companies may be relieved to hear that they will not be under OCR scrutiny for a while yet, but now is the time to ensure that all security vulnerabilities are identified and any risks are managed. Staff must also be trained on HIPAA compliance.

When the auditors come knocking it is important to be prepared: They will want to see full documentation and evidence of HIPAA in action.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of