Second Round of HIPAA Audits Delayed by Web Portal

by | Sep 11, 2014

The second round of HIPAA compliance audits has been put off until 2015 to give the OCR additional time to test its new internet portal. This next round of audits was initially scheduled to take place this fall.

The new web portal is one of the new initiatives to assist it in policing HIPAA and it is expected to streamline the collection of data. The portal will also be used to submit reports of HIPAA breaches and violations.

OCR senior adviser, Linda Sanches said: “We recently had an opportunity to update the technology we’re using, giving us capabilities that we just didn’t have access to before.”

The introduction of the new portal needs to be completed before the OCR can conduct its next round of audits as the system will need to be used to gather the thousands of documents a round of audits generates. The new system will also enable Jocelyn Samuels to develop the OCR’s program of permanent audits, which former OCR Director Leon Rodriguez had planned before he took up his new role with Homeland Security.

The collection and analysis of documents is an in depth and labor intensive process, and the OCRs resources severely limit the amount of audits it can realistically conduct. The new portal should enable HIPAA-covered entities to simply upload documents if they are selected for a compliance audit, while the automation of the data collection will clear up a large amount of resources at the OCR.

The original audit plan was a pilot comprised of 115 audits, which after an initial assessment would lead to a subsequent round involving 400 remote audits and a number of onsite visits. The number of desk audits has now been reduced to 200, but its budget for onsite visits has been raised. More healthcare organizations can now expect a full and thorough onsite inspection to take place. The next round of audits will also be carried in the main by OCR staff; the pilot audits were conducted by accounting firm, KPMG.

The audit process will begin with pre-screening audits, in which covered entities will be asked to use the portal to submit their documents. The OCR has yet to reveal how many pre-screening audits it will be conducting, although in February the OCR did submit a collection request  to the federal register to enable it to contact up to 1,200 covered-entities including healthcare providers, health plans, clearinghouses and Business Associates. The OCR will then choose the most suitable entities for desk and onsite audits.

According to Sanches, covered organizations will be audited first followed by Business Associates. She advises all covered bodies to contact their Business Associates and address any HIPAA issues that currently exist. They should also be advised, if they are not already aware, that they will be subject to audits and are responsible for ensuring that they adhere with all HIPAA Privacy and Security Rules, including the latest Omnibus Rule changes.

Covered entities will be asked to submit a list of all contractors and Business Associates as part of the pre-screening process and she says now is the time to “get your house in order.”

The sample for the coming round of audits will be taken at random; however, there will be some bias as the audits will need to be geographically representative and the full range of covered organizations will need to be covered. Therefore, all covered groups: healthcare providers, health plans, clearinghouses and their Business Associates could be selected for audit. The second round will target larger organizations but that is not to say that pharmacies and small practices will not be chosen for audits.

The OCR has said there will only be a small amount of exceptions in the second round; any organization currently under investigation by the OCR will naturally be exempt as will HIPAA-covered organizations that have an “open breach”.




Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy