OCR Reveals Detail Regarding Phase 2 of HIPAA Audits

The Office for Civil Rights (OCR) has revealed that it is to restart HIPAA compliance audit program this fall. Phase 2 will include 350 compliance audits which will be carried out on healthcare providers, healthcare clearing houses and health plans, along with 50 more audits which, in accordance with the HIPAA Omnibus Rule, will be carried out on business associates.

The OCR completed a round of pilot audits in 2011/2012 which looked at a wide variety of areas of compliance in order to allow it to figure out the level of compliance across different sectors of the healthcare sector. The pilot round involved 115 covered bodies, which were subjected to a full compliance audit including a site review. The audits uncovered numerous areas in which healthcare organizations were breaching HIPAA regulations.

The majority of organizations that were audited were discovered to have violated HIPAA with only 11% of covered entities found to be fully adherent. 80% of healthcare providers found to have breached HIPAA did so by failing to conduct a thorough risk analysis, while 39% of all audited entities registered breaches of the Privacy Rule. 10% violated the Breach Notification Rule and many were discovered to have violated all three; with smaller healthcare providers standing out for a broad range of non-compliance issues.

The results mean the OCR can tailor the next round of audits and target key areas of HIPAA compliance which lead to the most violations, while the audit plan also needed to be refreshed due to the issuing of the Omnibus Final Rule last year.

The second phase of HIPAA compliance audits is to include more covered entities and will have a much stricter focus, covering the Privacy, Security and Breach Notification Rules.

The audits are due to take place between October 2014 and June 2015. The coming phase of audits will look at privacy and security, in particular focusing on the storage and transmission of Electronic Health Records and how breaches are managed.

The desk audits will review compliance with Privacy and Security Rule provisions. Adherence to the Privacy Rule will also be examined, in particular how organizations are reacting to requests by patients for access to their health records and notices of privacy practices. Policies and procedures that deal with the Breach Notification Rule will also be checked.

The on-site audits will be more detailed and the OCR is expected to request to see HIPAA in action, and will be checking that policies have been tranformed into compliant work procedures. They will have a strong emphasis on the Security Rule, which the pilot found to be a major area of non-compliance. Risk analyses will be thoroughly reviewed as will risk management.

The OCR will be releasing details of the protocol for its next phase audits on its website in due course. This will enable all covered organizationsto conduct an internal pre-assessment for compliance, and address any issues discovered. Business Associate audits are not expected to be carried out until 2015.