This November will mark the four year anniversary of the HIPAA Audit Pilot Program, conducted by the Office for Civil Rights (OCR). You may recall that based on the results of that test program, OCR announced that it would conduct a second round of audits for pre-selected Covered Entities and Business Associates. Initially, the second round, or “Phase 2,” was scheduled to begin in September 2014. However, like many government initiatives, Phase 2 was subject to input, reevaluation, and – consequently – delays. To date, Phase 2 has yet to begin. But, responding to a Department of Health and Human Services Office of Inspector General (OIG) report recommending stronger oversight of covered entities’ compliance with the HIPAA Privacy Rule, we have come to learn that OCR will launch Phase 2 of its audit program in early 2016.
The audit program is mandated under HIPAA and is designed to measure covered entities’ and business associates’ compliance with HIPAA’s privacy, security, and breach notification requirements.
The OIG’s report is welcomed guidance for OCR, as the report findings conclude that OCR should strengthen its oversight of covered entities and business associates, and makes several recommendations, such as implementing a permanent audit program, developing a case-tracking system, documenting corrective action, and expanding outreach and education efforts.
It appears that OCR is in agreement with each of OIG’s recommendations. OCR responded that it is moving forward with a permanent audit program and will launch Phase 2 of that program in early 2016. Phase 2, unlike the pilot program, will include business associates in addition to covered entities, this time.
As previously thought, the audits will be a useful tool for OCR in enforcing HIPAA and will likely increase exposure for covered entities and business associates that are habitually non-compliant. For example, OCR has revealed that it now has the ability to search for and track covered entities’ compliance history, and it will now require investigators to check for prior investigations at the outset of new investigations. As a result, there may be a greater likelihood of on-site visits, instead of basic, remote policy reviews.
In light of the new activity, OCR is once again stressing the importance for covered entities and business associates to routinely review their own HIPAA policies and procedures and run those policies and procedures against the publicly available HIPAA audit protocols.
It is always best practice to regularly review your HIPAA policies and procedures and conduct regular risk assessments to determine your organization’s level of compliance with HIPAA and HITECH. SmithAmundsen works with a number of clients on HIPAA/HITECH, data privacy, and security matters. If your organization has any questions concerning compliance with HIPAA/HITECH or any other data security and privacy issue, please do not hesitate to contact us.