Round 2 HIPAA Compliance Audits t be Initiated by OCR

The Office for Civil Rights of the Department of Health and Human Services is moving closer to commencing the next round of HIPAA compliance audits issuing a notice in the Federal Register stating its intention to begin a series 1,200 pre-audit surveys.

The OCR is authorized to complete compliance audits under Section 13411 of the HITECH Act and intends to review compliance with HIPAA Privacy, Security, and Breach Notification Rules.

The notice say that the OCR intends to survey 800 healthcare suppliers, clearing houses and health plans in addition to 400 of their business associates as part of the second round of compliance audits. Since the introduction of the Omnibus Rule, Business Associates can be held responsible for HIPAA non-compliance issues and data breaches and the OCR wants to ensure that the new legislation is being adhered to.

OCR Deputy Director, Susan McAndrew, revealed at the 2014 HIMSS Annual Conference on February 24 that the target of the survey is to assess suitability for audit. Since the sample was taken at random, the OCR must first identify organizations in its database which are no longer in business, and it must also confirm that the organization is the same as the OCRs database shows. Additionally, the survey will determine the organizations size and suitability for audit by quizzing about recent patient visits, or in the case of healthcare insurance groups, the number of policies recently sold.

Since the primary focus of the audits is to ensure electronic health data is properly and securely managed, organizations will also be assessed on the extent of digitalization of their health records. The OCR’s audits must also cover the full range of covered-entities and the sample must be geographically representative and the survey will ensure that it is able to meet these requirements, so not all surveyed bodies will be chosen for audit.

The next round of compliance audits is due to have a much tighter focus than the pilot audits conducted between 2011 and 2012. Security risk assessments are likely to be a major focus as the pilot audits showed numerous HIPAA violations in this area. Over 66% f the organizations it examined during the pilot audits were found to have breached the HIPAA Security Rule by failing to conduct a thorough risk analysis, which included 80% of the healthcare providers it audited. The secure disposal of patient health records will also be reviewed along with the controls that have been implemented to prevent unauthorized access to PHI and personal identifiers.

The audits are expected to also review HIPAA Privacy Rule compliance, including patient access rights to their health data and the use of NPPs, while policies and procedures covering HIPAA violation notifications will also be a focus. Organizations are expected to be able to show documented evidence that staff have received training on data privacy and security rules and that all policies and procedures have been amended following the introduction of the Omnibus Rule.

Although not specifically required by HIPAA, data encryption is an area that must be addressed by all covered bodies. It is not mandatory to have all Protected Health Information encrypted, but if a covered body opts not to encrypt its data it must document a reason why it is deemed to be unnecessary and the other measures the entity has employed as an alternative security feature.

The audits are now close, but the OCR has yet to confirm the number of groups that will be audited or the form the audits will take.