Unlike the usual HIPAA audits conducted earlier, round two of the HIPAA audits is to be a limited number of focused “desk audits,” along with a comprehensive on-site audits, performed by none other than the staff of the Department of Health and Human Services’ Office for Civil Rights. The OCR intends to conduct HIPAA compliance audits for about 350 covered entities in the next phase of audits planned to begin this fall, where selected covered entities will be given notification and data requests.
According to a recent presentation at the Health Care Compliance Association Conference by Linda Sanches, OCR senior adviser for health information privacy, OCR auditors will assess compliance efforts through an updated protocol, and will include new criteria that reflect HIPAA Omnibus Rule changes and more specific test procedures.
While the focus of Business Associate audits will be on HIPAA security risk analysis and risk management, the OCR’s audits for covered entities will focus on specific areas of HIPAA compliance. There is also likely to be another round of covered entity audits later in 2015 that will primarily focus on computing device and storage media security controls, transmission security, as well as HIPAA privacy rule safeguards, including workforce training, policies and procedures. Planning way ahead to 2016, the OCR intends for the HIPAA audits to include a focus on encryption and decryption, facility and physical access control, along with other areas of high-risk as identified by 2014 audits.
Who will be audited?
According to the recent presentation by Sanches, the OCR will conduct address verification with covered entities surveyed this spring, where entities will receive a link to an online screening “pre-survey” this summer, and out of the 550 to 800 covered entities contacted for the survey, OCR will select about 350 to audit. While selected covered entities will be receiving audit notification and data requests in fall 2014, they would be asked to identify their business associates and provide those vendors’ current contact information. OCR will then select business associate audit subjects for 2015 from among the BAs identified by covered entities.
The effectiveness of the new approach
Phase 2 of the HIPAA audit program has generated mixed opinions, with one security expert believing that it will help spur compliance, and another expert wondering if there will actually be a boost in compliance, considering the OCR’s approach to selecting candidates and questions.
David Holtzman, vice president of privacy and security compliance services at security consulting firm CynergisTek, and former senior advisor at OCR, believes that phase two of the OCR audit program can have a significant impact on covered entity’s and business associates’ compliance activities. Despite the OCR conducting a limited number of audits this time around, the possible influence of those activities is nonetheless great. Increasing the visibility of compliance with the HIPAA rules, the impact of the OCR audit program across all healthcare providers and organizations is greater than before.
As always, failing to have safeguards in place to protect health information will result in serious consequences – reputational and financial. The time is right for healthcare entities to evaluate their security and compliance stance and thoroughly prepare themselves. Comprehensive security management solutions like Aegify Security Posture Management and Aegify SecureGRC can prove handy at this stage, and help entities fearlessly deal with the upcoming audits with confidence.