The Federal Office for Civil Rights (OCR) of Health and Human Services (HHS) has begun a new phase of audits of covered entities and business associates for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These audits will enable OCR to identify and address risks and vulnerabilities to protected health information (PHI).
The HIPAA Privacy Rule was promulgated in 2000, followed by the Security Rule in 2003. Between 2003 and 2013 a variety of amendments, including the Breach Notification requirement, were enacted, culminating in the Final Rule. During its almost 20-year lifespan, enforcement of the various HIPAA regulations has been predominantly driven by complaints or data breach reports. The virtual absence of any affirmative enforcement by OCR has led many covered entities and business associates to become complacent.
The Phase 2 HIPAA Audit Program will result in OCR conducting random reviews of the policies and procedures adopted and employed by covered entities and their business associate to determine compliance with the Privacy, Security, and Breach Notification Rules. These audits may take the form of desk audits, but in some circumstances may involve on-site audits.
OCR and HHS have identified these audits as a method for OCR to collect and aggregate data related to overall compliance with HIPAA and handling of PHI, stating in its publications:
“The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches.”
However, it is apparent that HHS and OCR will likely use the audits as a part of their overall enforcement efforts, as evidenced by the statement by OCR that, “Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate.” Failure to have a comprehensive HIPAA compliance strategy, including HIPAA compliance plan, business associate agreements, risk analysis and workforce training can result in fines of up to $1.5 million. Therefore, covered entities and business associates alike should conduct their own internal self-audits as part of their HIPAA compliance activities.
Frier Levitt has extensive experience in developing HIPAA compliance efforts for covered entities and business associates. If your organization is required to comply with HIPAA’s myriad of rules contacting Frier Levitt is a prudent next step in preparing for an OCR audit or investigation.
