HIPAA Compliance Audits Remain on Hold

April 16, 2015

OCR Official Describes New Guidance in the Works

By , April 15, 2015.

HIPAA Compliance Audits Remain on Hold

After a three-year delay, federal regulators remain tight-lipped about when the next round of HIPAA compliance audits will begin. But a variety of new HIPAA-related guidance is in the works, a government official says.

During an April 15 session at the HIMSS 2015 Conference in Chicago, a regional official from the Department of Health and Human Services’ Office for Civil Rights told attendees the next phase of the random HIPAA audit program “is under development.” Attorney Alessandra Swanson, an OCR team leader from the agency’s Chicago office, declined to say whether there’s a potential timeline for when OCR expects to kick off the next round of HIPAA audits, or what the program might look like.

OCR, which enforces HIPAA, had hoped to kick off phase two of its compliance audit program last fall, but officials last September revealed the program was being delayed. The culprit blamed at the time: technology that the agency said was still being rolled out at the agency that will allow OCR to collect audit-related documentation from covered entities and business associate via a Web portal (see HIPAA Compliance: What’s Next?).

OCR also had a change in leadership last year. In July, Jocelyn Samuels was named the office’s new director. Samuels, who was formerly acting assistant attorney general for the Civil Rights Division at the U.S. Department of Justice, replaced Leon Rodriguez, who was named director of U.S. Citizenship and Immigration Services, a unit of the Department of Homeland Security.

Privacy attorney Adam Greene, a partner at the law firm Davis Wright Tremaine, told Information Security Media Group in an interview at the HIMSS Conference that he believes the delay in various OCR enforcement activities, including the audit rollout, could be related to tight OCR resources, as well as the new leadership settling in.

But OCR appears to be staffing up for the audit program. In an announcement posted last week by HHS, the agency said it had open a “compliance specialist – auditing” position available within its Washington headquarters.

“This position serves as the senior auditing subject matter expert who provides leadership, oversight, coordination and advice necessary to design, plan and execute an audit program of covered entity and business associate compliance with the HIPAA privacy, security and breach notification rules,” the job posting said.

OCR officials in recent months have said the agency also is working on updating its audit protocol for covered entities and creating a new audit protocol for business associates. BAs became directly liable for compliance under the HIPAA Omnibus Rule last year and are subject to OCR enforcement actions, including financial penalties that range up to $1.5 million per HIPAA violation.

Other Activities

In addition to preparing for resuming the random HIPAA compliance audit program, OCR is working on new guidance, including material relating to business associates; the breach notification rule as well as a breach assessment tool; the use of protected health information for marketing; the “minimum necessary” standard for data; and HIPAA Security Rule compliance updates, Swanson says.

In addition, OCR is continuing breach investigations and rule-making.

“Our goal is, and has always been to get entities into compliance,” Swanson says. “I know that our enforcement cases get a lot of attention, but when you look at the number of enforcement cases versus those that are resolved with technical assistance and corrective actions, you’ll see that we always try to go the compliance route first. “We’re interested in getting everyone into compliance; we’re not out there trolling for enforcement cases.”

OCR is anticipating receiving 15,000 to 17,000 HIPAA complaints in 2015, she says. All health data breaches affecting more than 500 individuals are investigated by the agency, she says. Although there have been no enforcement actions involving monetary settlements with business associates, Swanson says the agency is current investigating a number of breaches involving BAs.

Read full article…