The newly appointed Deputy Director for Information Privacy at the Department of Health and Human Services’ Office for Civil Rights has been adjusting to her new role at the OCR since her appointment earlier this year, but until recently she has not given spoken to the news media. In an exclusive interview to the Security Media Group, in which she revealed some details of planned OCR activities, including the upcoming HIPAA compliance audits.
McGraw spoke with HealthcareInfoSecurity.com’s Executive Editor, Marianne Kolbasuk McGee, and was asked about OCR enforcement activities, current and future OCR projects, and was asked the question that is on everyone’s lips at the moment: When will the HIPAA compliance audits begin?
The program of random HIPAA audits was due to begin in 2014; however the sheer scale of the job has caused issues. Audits take a lot of time and resources, something which the OCR lacks.
McGraw confirmed that the current issue with the OCR is not a lack of trained staff. She said she has some highly skilled people working for her. The problem is the size of the work force available to her. She told SMG that this has probably been her biggest obstacle to tackle.
A full staff of highly skilled personnel sit firmly at the top of her wish list, but McGraw said that it is not possible to have everything, so she has had to make do with the people that she currently has available. With a workload as large as the OCR’s, it is not possible to do everything instantly. She has had to be strategic with the resources available to her, and has prioritized tasks. McGraw said, “It’s a big agenda… [with] lots of really exciting stuff”
One of those exciting projects is the HIPAA compliance audit program; a random series of audits of HIPAA-covered entities designed with two aims. The audit program allows the OCR to gain vital feedback on aspects of HIPAA that are causing problems for covered bodies. Armed with data, the OCR can develop new guidance to help healthcare providers, insurers and their business associates, introduce the necessary security measures to keep Protected Health Information secure. The OCR is currently aiming to issue guidance on the use of mobile devices and cloud services by healthcare providers, while further guidance will be released on a number of different “factual scenarios” which are causing covered bodies problems.
The second aim of the audits is to ensure that covered entities are adhering to HIPAA rules. Those that do not comply will have to dig deep and pay for the lack of interest in data security and patient privacy. The OCR will be issuing fines to covered bodies that blatantly disregard HIPAA Rules.
McGraw confirmed that the audit program is in the final stages of formulation, and at present the OCR is bringing in key members of staff, and has appointed a company to provide guidance with the audit program. Public comments will be sought, and it is hoped that process will happen by the end of the year/start of 2016.
McGraw said that the next phase of audits will be smaller than the pilot in terms of scope and depth of assessment, but there will be more audits carried out second time around. The OCR will not be looking at everything, instead it will look at key areas of HIPAA Rules, and will complete a policy check via its proposed desk audits. On site visits will be carried out in some instances, but the cost of full audits is prohibitively expensive.
However, covered bodies that think they can delay bringing data security standards up to those required by HIPAA should reconsider. McGraw stated “We investigate every breach of more than 500 records and we look at a lot of breaches under 500 records, and we respond to complaints that people have filed about HIPAA violations”. She added, “If entities are out there thinking that we are asleep at the wheel, they need to wake up because we are not asleep at the wheel. Counting on not getting caught, counting on not getting audited…….that’s probably a risky strategy”