Audit , Governance & Risk Management , HIPAA/HITECH
HIPAA Audits Are Still on HoldOCR Director Reveals Enforcement Plans for 2015
The unit of the Department of Health and Human Services that enforces HIPAA still has plenty of work to do before it can launch its long-promised next round of HIPAA compliance audits, as planned for this year.
See Also: Preparing for the SEC Cybersecurity Disclosure Proposed Rules
The HHS Office for Civil Rights has yet to develop a revised protocol for conducting the audits, OCR Director Jocelyn Samuels revealed during a Jan. 13 media briefing.
Samuels declined to offer a timeline for when OCR plans to resume its HIPAA audits, which Samuels says will include covered entities as well as business associates, who are now directly liable for HIPAA compliance under the HIPAA Omnibus Rule.
Early in 2014, OCR officials said the agency expected to resume compliance audits of covered entities in the fall of 2014, later expanding the program to include audits of business associates based on those vendors identified by covered entities in pre-audit surveys.
Then in September, OCR officials said the audit launch was stalled because of a delay in the rollout of technology to collect audit-related documents from covered entities and business associates.
In her comments Jan. 13, Samuels did not offer an explanation for the prolonged delay in resumption of HIPAA audits.
"OCR is committed to implementing an effective audit program, and audits will be an important compliance tool for OCR," Samuels said. The audits "will enable OCR to identify best practices and proactively uncover risks and vulnerabilities, like our other enforcement tools, such as complaints and compliance reviews; provide a proactive and systematic means to assess and improve industry compliance; enhance industry awareness of compliance obligations; and enable OCR to target its outreach and technical assistance to identified problems and to offer tools to the industry for self-evaluation and prevention. Organizations should continue to monitor the OCR website for future announcements on the program."
In 2012, OCR conducted a pilot HIPAA audit program for 115 covered entities that was carried out by a contractor, the consulting firm KPMG. It also issued an audit protocol offering a detailed breakdown of what was reviewed. OCR is revising the protocol to reflect changes brought by the HIPAA Omnibus Rule.
Rules In the Works
In addition to the pending audits, other HIPAA-related activities under way at OCR for 2015 include:
- A final version of a proposed rule HHS issued last January to permit certain covered entities, including state agencies, to disclose to the National Instant Criminal Background Check System the identities of persons prohibited by federal law from possessing or receiving a firearm for reasons related to mental health (see HIPAA Change For Gun Checks Proposed);
- An advanced notice of proposed rulemaking related to a HITECH Act mandate for HHS to develop a methodology to distribute a percentage of monetary settlements and penalties collected by OCR to individuals affected by breaches and other HIPAA violations;
- A possible request for additional public input on OCR's proposed accounting of disclosures rule making. Samuels says OCR is still evaluating the comments it received on the proposed accounting of disclosures rule it issued in 2011, as well as recommendations from the HIT Policy Committee about refining the rule.
In a statement provided to Information Security Media Group, Samuels noted, "The [accounting of disclosures] rulemaking is still listed as a long-term action on our last published regulatory agenda. We are exploring ways to further solicit public input on this important issue."
OCR in May 2011 issued a notice of proposed rulemaking for updating accounting of disclosures requirements under HIPAA. The proposal generated hundreds of complaints from healthcare providers and others. Many of the complaints were aimed at a controversial "access report" provision. As proposed, the access report would need to contain the date and time of access to electronic records, the name of the person or entity accessing protected health information, and a description of the information and user action, such as whether information was created, modified or deleted. The proposal would also provide patients with the right for an accounting of disclosures of electronic PHI made up to three years prior to the request.
Other Enforcement Activities
OCR also has a number of other enforcement activities planned for 2015, Samuels said in the Jan. 13 briefing.
"We will continue to identify and bring to resolution high impact cases that send strong enforcement messages to the industry about compliance," she said. "These types of cases can include the lack of a comprehensive risk analysis and risk management practices, ignoring identified threats and hazards to systems containing electronic protected health information, and insufficient policies and procedures, and training of workforce members."
OCR also expects to provide policy clarification for a variety of topics, including cloud computing and the "minimum necessary" rule, which HHS says is based on the premise that protected health information should only be used or disclosed if it is necessary to satisfy a particular purpose or carry out a function.
"We will also continue dialogues with our stakeholders about issues on which they would like additional interpretation," Samuels says.