Round 2 HIPAA Compliance Audits t be Initiated by OCR

by | Feb 27, 2014

The Office for Civil Rights of the Department of Health and Human Services is moving closer to commencing the next round of HIPAA compliance audits issuing a notice in the Federal Register stating its intention to begin a series 1,200 pre-audit surveys.

The OCR is authorized to complete compliance audits under Section 13411 of the HITECH Act and intends to review compliance with HIPAA Privacy, Security, and Breach Notification Rules.

The notice say that the OCR intends to survey 800 healthcare suppliers, clearing houses and health plans in addition to 400 of their business associates as part of the second round of compliance audits. Since the introduction of the Omnibus Rule, Business Associates can be held responsible for HIPAA non-compliance issues and data breaches and the OCR wants to ensure that the new legislation is being adhered to.

OCR Deputy Director, Susan McAndrew, revealed at the 2014 HIMSS Annual Conference on February 24 that the target of the survey is to assess suitability for audit. Since the sample was taken at random, the OCR must first identify organizations in its database which are no longer in business, and it must also confirm that the organization is the same as the OCRs database shows. Additionally, the survey will determine the organizations size and suitability for audit by quizzing about recent patient visits, or in the case of healthcare insurance groups, the number of policies recently sold.

Since the primary focus of the audits is to ensure electronic health data is properly and securely managed, organizations will also be assessed on the extent of digitalization of their health records. The OCR’s audits must also cover the full range of covered-entities and the sample must be geographically representative and the survey will ensure that it is able to meet these requirements, so not all surveyed bodies will be chosen for audit.

The next round of compliance audits is due to have a much tighter focus than the pilot audits conducted between 2011 and 2012. Security risk assessments are likely to be a major focus as the pilot audits showed numerous HIPAA violations in this area. Over 66% f the organizations it examined during the pilot audits were found to have breached the HIPAA Security Rule by failing to conduct a thorough risk analysis, which included 80% of the healthcare providers it audited. The secure disposal of patient health records will also be reviewed along with the controls that have been implemented to prevent unauthorized access to PHI and personal identifiers.

The audits are expected to also review HIPAA Privacy Rule compliance, including patient access rights to their health data and the use of NPPs, while policies and procedures covering HIPAA violation notifications will also be a focus. Organizations are expected to be able to show documented evidence that staff have received training on data privacy and security rules and that all policies and procedures have been amended following the introduction of the Omnibus Rule.

Although not specifically required by HIPAA, data encryption is an area that must be addressed by all covered bodies. It is not mandatory to have all Protected Health Information encrypted, but if a covered body opts not to encrypt its data it must document a reason why it is deemed to be unnecessary and the other measures the entity has employed as an alternative security feature.

The audits are now close, but the OCR has yet to confirm the number of groups that will be audited or the form the audits will take.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy