OCR picks vendor for second phase of HIPAA audit program

Tools

The next phase of the HIPAA audit program is moving forward at the Department of Health and Human Services' Office for Civil Rights, which has chosen a vendor to conduct the audits.

 Ashburn, Virginia-based FCi Federal has been picked as the vendor, OCR confirmed to FierceHealthIT.

"We are hard at work on the next phase, and I know you've heard that a lot, but it's coming," OCR Director Jocelyn Samuels said Wednesday at the "Safeguarding Health Information: Building Assurance through HIPAA Security" conference in the District of Columbia. "Audits are really a critical compliance tool for us because they enable us to get out in front of potential industry problems before they result in a breach ... and they enable us to better tailor our guidance and our technical assistance to ensure that we're addressing the most common problems."

Samuels reiterated that OCR has started verifying contact information for the "universe of potential auditees" for phase two of the program, which will focus on both covered entities and business associates. The greatest portion of the audits will be desk audits, but OCR will be doing on-site audits as well, Samuels said.

There also will be an updated audit protocol as the first audits draw closer, which she said providers should use as a tool for their own self-analysis for potential vulnerabilities in their systems.

Other efforts coming soon from OCR highlighted by Samuels include:

  • New guidance on patient right to access data under HIPAA, especially with regard for sharing information for President Barack Obama's Precision Medicine Initiative. "We will be issuing new guidance so we can inform individuals about their rights to access ... and make sure providers know what their obligations are," she said.
  • Guidance on use of cloud technology and HIPAA obligations that apply to cloud providers is in the works.
  • A portal developers can use to ask OCR questions about ways in which HIPAA applies to emerging technology. Samuels said OCR anticipates the portal creating a space for a public dialogue and a vehicle to better understand issues arising in the industry and prioritizing the kinds of guidance and technical assistance the office can give.

Samuels also said "she hopes" in December OCR will have a new and improved website. The Web redesign will make materials more accessible, easier to find and easier to understand.

Related Articles:
Jocelyn Samuels: Privacy and data sharing can coexist
HHS Office for Civil Rights sends preliminary surveys for Phase 2 of HIPAA audit program
HIPAA audits still on hold