OCR Indicates Major Increase in HIPAA Audits

The second round of HIPAA compliance audits have yet to commence, the last round was  in 2012, but they are supposedly returning and will be bigger and bolder than before.

The Department of Health and Human Services’ Office for Civil Rights (OCR) indicated to Washington-based lawyer and HIPAA expert, Adam Greene – partner of Davis Wright Termaine – that compliance enforcement is set for a major increase.

In a presentation given at HIMSS15 in Chicago on Tuesday, Greene said that there had been an increase in enforcement actions involving financial penalties in the last few years. Greene stated that there “was one or three fines levied in 2008-2011, five in 2012 and 2013 and seven last year in 2014”.

The OCR has had to take action in the face of more than 100,000 claims since it began enforcing HIPAA legislation and in the majority of cases these claims have been settled without any investigation being required. In almost a quarter of cases (24%) the Covered Entity (CE) took voluntary corrective action after areas of non-compliance were identified.

In 11% of cases the OCR found no violation and the claim proved to be unfounded, while only 23 cases lead to a violation and penalty (0%). Settlements have increased already and that trend is likely to continue in the foreseeable future.

Greene remarked that the “HHS will not be handing out violations like speeding tickets but increasing monetary fines and more fines are what he sees coming in the future.” And also stated we are “entering a new era of HIPAA enforcement”.

The OCR has been criticized for not completing the audits to date but plans are now in place and according to Greene the next set of audits will “dwarf anything seen so far” according to a report in HealthDataManagement.

There was no indication of when the OCR will be beginning the audits; although Greene said they were expected later in 2015. It has been three years since the end of the pilot phase and last year there was a delay due to web portal alterations. This year the establishing of the protocol appears to be taking some time.

While many covered bodies (CEs) are anxious about the coming audits, now is the time to ensure that all policies and procedures are in adherence and ease the stress when they do begin.

The figures from the initial round of compliance audits show that risk analyses were not so much an issue for organizations; many had simply not carried them out. The majority of those that did complete a risk analysis did not do so thoroughly and therefore did not find all security weaknesses.