Second Round of HIPAA Audits Delayed

March 25, 2015
Colin Gainer
SmithAmundsen Health Care Alert


Practice Areas


Since the first round of HIPAA audits was completed in 2012, we have heard from the Department of Health and Human Services Office for Civil Rights (OCR) that it will soon begin a second round of auditing covered entities for compliance with the Privacy, Security, and Breach Notification Rules under HIPAA and HITECH. Although the second round of audits was scheduled to begin in late 2014, OCR Director Jocelyn Samuels still does not have a set date for when the next round of HIPAA audits will take place.

On March 16, 2015, Samuels announced at the annual National HIPAA Summit in Washington, D.C. that OCR has still not finalized the audit procedures. Apparently, the reason behind the delay is to allow new technology to be properly implemented. At the HIMSS Security & Privacy Forum, OCR’s senior privacy officer explained that “in any IT project, IT plans don’t always go the way you expect them to. There are things from the spring that I thought we’d be able to accomplish, but we weren’t able to. But I’m happy because the process that we were going to use before was much more labor intensive in terms of analyzing data.”

It should also be noted that the updated HIPAA audit protocols are still being developed. In 2011, OCR released the original protocols, which consisted of 165 performance criteria. It is unclear at this time whether this list will be expanded or condensed. However, OCR is urging covered entities to continue to monitor its website to remain updated on when the audits will begin, and for any updates to the published protocol. Even though the procedure for the next round of HIPAA audits has not been finalized, OCR has explained that they will be “organized around modules” focusing on the privacy, security, and breach notification aspects of HIPAA.

This latest phase of HIPAA audits is also set to include business associates along with covered entities. The original audit pilot-phase in 2011 to 2012 only sampled covered entities. Estimates of the sample group for the next round of audits were reported as being 800 covered entities and 400 business associates. Though, this number could change.

When the second round of audits does come, OCR will likely pay close attention to whether covered entities and business associates have conducted and regularly reviewed their risk assessment, as required by the Security Rule. Nowadays, threats to computer systems and networks are growing and evolving. Data is a valuable commodity. Covered entities and business associates not only must worry about internal threats, such as a workforce member gaining unauthorized access to electronic patient records, but also external threats like hackers and malware that can penetrate computer systems and networks for valuable data. OCR has developed a security assessment tool to help covered entities meet this important Security Rule obligation, and has made it publicly available here.

It is always best practice to regularly review your HIPAA policies and procedures and conduct regular risk assessments to determine your organization’s level of compliance with HIPAA and HITECH. SmithAmundsen works with a number of clients on HIPAA/HITECH, data privacy, and security matters. If your organization has any questions concerning compliance with HIPAA/HITECH or any other data security and privacy issue, please do not hesitate to contact us.