The Department of Health and Human Services’ Office for Civil Rights has confirmed – to Fierce Health IT – that its preliminary HIPAA surveys have now been issued, marking the start of the 2015 HIPAA compliance audits.
In a recent article in the National Law Review, McDermott Will & Emery revealed that phase 2 of the HIPAA compliance audits was no longer being delayed, after the firm had been advised by some of its clients that an OCR HIPAA audit screening survey had been received.
The aim of the screening surveys is to ensure that all contact and organization information is up to date. The OCR auditors can then pick the organizations most appropriate for audit. From the responses, it is predicted that the OCR select 350 covered entities and 50 Business Associates for an audit on the Security Rule, Privacy Rule, Breach Notification Rule or a combination audit comprising 2 or 3 audit modules.
The OCR is expected to audit healthcare suppliers, health plans and healthcare clearinghouses first, with Business Associate HIPAA audits to come.
It is not clear at this early stage whether the surveys have been issued to all 1,200 bodies that formed the initial sample or if Business Associates have been contacted yet. McDermott Will & Emery believes that the OCR is working with a pool of 550 and 800 CEs. If this is the case, any covered body receiving a survey may have a 50% chance or higher of being audited.
The OCR statement, broadcast via e-mail, confirmed that the pre-audit surveys had been sent, but no information was given as to when the second round of compliance audits will be taking place. According to the original schedule for the audits that were supposed to begin in the fall of 2014, the surveys were scheduled to be sent around this time of year indicating that the audits will only have been delayed a year and will be carried out this fall.
The statement revealed “Additional information about the audit program is forthcoming,” with covered entities instructed to “Check our website for updates.”
Once the notice is published on the OCR website, the audits are expected to start approximately 90 days later, giving covered entities three more months to make sure they are fully HIPAA-compliant before it is put to the test.