Health IT Pulse

Aug 13 2014   1:36PM GMT

Office of Civil Rights readies second round of HIPAA audits

Shaun Sutner Shaun Sutner Profile: Shaun Sutner

HIPAA compliance audits
Open Payments

The U.S. Dept. of Health and Human Services’ Office of Human Rights is preparing to launch a second, more ambitious round of HIPAA audits. For the first time the audits will include business associates of HIPAA covered entities. They also could result in enforcement penalties for violators.

Over the summer, OCR had planned to send pre-audit surveys to between 550 and 800 entities in preparation for what it calls “Phase 2 audits,” which are begin in this fall. These follow Phase 1, a pilot round of audits of 115 entities conducted over the past year.

The pilot audits did not include business associates, carried no penalties, and were performed by subcontractors. The upcoming audits are expected to be done primarily by OCR staff, according to the National Law Review.

However, the new audits will be desk audits rather than on-site visits, the National Law Review said. Auditors won’t be able to seek clarification or additional data, and they will only take into consideration data submitted on time.

From the pre-audit review, the OCR is expected to select about 400 covered entities for the actual HIPAA audits.

Of those, about 350 are supposed to be covered entities – 232 healthcare providers, 109 health plans and nine healthcare clearinghouses. The rest, about 50, are expected to be business associates.

In addition to being performed by OCR staff and not contractors, the second round of audits will differ from the pilot audits in targeting HIPAA standards, including the Privacy Rule and patient access to personal health information (PHI). The first audits revealed a high non-compliance rate with the standards.

The National Law Review reported that OCR will audit 100 entities for compliance with the Privacy Rule, including Notices of Privacy Practices and PHI. Another 100 entities will be audited for content and timeliness of notifications under the Breach Notification Rule, and 150 will be audited on the risk analysis and management standards of the Security Rule.

Business associate audits will cover only risk analysis and management, as well as breach reporting to covered entities.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: