OCR launches Phase 2 of HIPAA Audit Program

Tools

The Department of Health and Human Services Office for Civil Rights on Monday initiated the second phase of its HIPAA Audit Program.

Speaking at the 24th National HIPAA Summit in the District of Columbia, OCR Director Jocelyn Samuels announced the launch, saying that the effort will comprise more than 200 desk and on-site audits. Samuels noted that OCR has also developed an audit-specific portal to enable notified entities to submit requested documentation in digital form.

Desk audits will make up the first two rounds of audits, Samuels said. The first round of desk audits will focus on covered entities, according to an OCR announcement, while the second round of audits will focus on business associates; all desk audits will be completed by December. For each of the desk audits, OCR will look at compliance with particular provisions of the privacy security and breach notification rules.

"We'll be looking at risk analyses and risk management, notices of privacy practices and access and response to requests for access, and content timeliness of notifications," Samuels said.

Onsite audits, according to OCR, will focus on "a broader scope of requirements" compared to the desk audits. Those who undergo desk audits may also have to undergo an onsite audit, as well.

"This is a critical tool for us," Samuels said. "We don't intend it to be a punitive mechanism. We do intend to use it to enable us to get out in front of the kinds of problems that have led to the breach reports that we have received."

The audit program, Samuels continued, will give OCR a way to examine different sectors and geographic regions of the industry, as well as different sized entities, to evaluate some of the risks they may be facing before those risks "ripen" into breaches.

"We don't necessarily get to see these things through the complaints we receive, and by the time we get a breach report, it's too late to prevent a problem," she said. "We really do look at this as a valuable way for us to get out in front of potential problems and to direct our guidance to the issues that we see occurring in ways that we hope will be more useful to the regulated community."

OCR started sending out address verification letters Monday and will continue the process throughout the week. Those letters will be followed by a questionnaire.

"Once we get the results of the questionnaire back, we will do a sampling of entities based on a host of factors, including size, including the nature of the business, including a balance between covered entities and business associates, including regions of the country," Samuels said. "What we really want to do is use this to get a sense of whether there are systemic structural issues that we can do a better job of addressing."

To learn more:
- read the OCR announcement

Related Articles:
Medical research institute to pay $3.9M in HIPAA settlement
Minnesota health system pays $1.55M after failing to make BA agreement, conduct risk analysis
Cyberattacks increase in sophistication, breaches go 'unchecked,' survey finds
More enforcement likely in second round of HIPAA audits, attorney says