When will the HIPAA compliance audits start? According to a letter sent by the Department of Health and Human Services’ Office for Civil Rights (OCR) Director to the HHS’ Office of the Inspector General (OIG), the second phase of HIPAA compliance audits will commence in early 2016.
HIPAA-covered entities therefore have very little time left to bring their policies and procedures up to the required standard, and to conduct risk assessments to assess their systems and equipment for security vulnerabilities.
Jocelyn Samuels Confirms Early 2016 Start to the Second Phase of HIPAA Compliance Audits
In a letter penned by OCR Director, Jocelyn Samuels, the OIG was informed that the second phase of HIPAA compliance audits will consist of “combinations of desk reviews of policies as well as on-site reviews.” She also confirmed that Business Associates (BAs) would also be included in the second phase of HIPAA compliance audits.
The previous OCR Director, Leon Rodriguez, indicated before he left that the OCR planned to implement a permanent compliance audit program, which would continually assess HIPAA-covered entities to ensure their compliance efforts continued. However, since Samuels’s appointment, progress towards that goal has been slow. The second round of compliance audits has been delayed and a permanent program seems a very long way off.
The problem faced by the OCR is how to conduct audits, which require a considerable amount of time and resources, when they lack both. The OCR has a huge workload and relatively few staff, and this continues to pose problems when conducting large scale projects such as the second round of compliance audits.
In the letter, Samuels explained that this continues to be a problem and the scope and structure of the audits, on a long term basis, will be limited by the resources the OCR has available.
As for the actual start date for the second round, that has yet to be announced. A contractor has been appointed to conduct the audits, key members of staff have been recruited, and the protocol is still being developed; however it is probable that the first audits will start in the first quarter of 2016. That said, HIPAA-covered entities should not delay assessing their own compliance efforts and making sure all the T’s are crossed and the I’s have been dotted.
The OCR did not issue any fines to organizations for Security, Privacy and Breach Notification failures as a result of the pilot phase of HIPAA compliance audits in 2011/2012, but the second phase of audits is expected to be different. Covered entities are likely to be held financially accountable for violations discovered during the second round, and fines of up to $1.5 million per violation category, per calendar year can be issued. Compliance failures could prove to be very costly indeed.