The Office for Civil Rights is due to commence the second round of HIPAA compliance audits this year, although news has emerged that the audits are to be delayed once more to give the department time to finalized the audit protocol.
The second round audits were originally scheduled to take place in the fall of last year, but were delayed to give the OCR time to implement a new web portal for reporting data breaches. This measure was essential due to the huge administrative burden that healthcare audits place on the OCR.
The new web portal was intended to streamline data collection and ease pressure on the department, which has been struggling with a lack of resources and staff. OCR Information Privacy Senior Advisor, Linda Sanches, said at the HIMSS Privacy and Security Forum that she was “Happy because the process that we were going to use before was much more labor intensive in term of analyzing data.”
The pilot round of HIPAA compliance audits commenced in 2011 and was completed in 2012. The results of the survey indicated that healthcare organizations in particular were failing to implement the measures necessary to comply with HIPAA Privacy, Security and Breach Notification Rules. However, in spite of having almost three years to analyze the results and formulate a new audit protocol, the OCR has failed to do so, with budget constraints believed to be the problem.
Last year the OCR was due to receive a budget increase but the money never came. This year President Obama has again earmarked funds for the OCR to help it police HIPAA more thoroughly, but it will be a few months before the OCR finds out if these extra funds – for increasing staff – will materialize.
Details have previously been released indicating that the OCR has changed its audit protocol based on the results of the pilot audits. The plan was to conduct 400 audits in the second round, including 350 healthcare providers, healthcare clearinghouses and health plans, with a further 50 audits to be conducted on Business Associates.
The audits are expected to be highly targeted and will be conducted in modules, assessing companies for compliance on the Privacy Rule, Breach Notification Rule or Security Rule. 150 audits have been penciled in for the latter category, while 100 audits are to be conducted on the Privacy and a further 100 on Breach Notification Rules. The audits will be split between desk audits – involving a full documentation check – and on-site visits which will be more comprehensive.
This plan may be in place, but the methodology has clearly not been finalized, with OCR Director, Jocelyn Samuels, indicating earlier this week at the 23rd National HIPAA Summitthat the OCR is not yet ready and the HIPAA audit program will be delayed again, according to a Lexicology report.
Safeguards were required to be implemented to protect PHI following the introduction of the Security Rule, which was issued in 2003 and has been effective since April, 2005. The Enforcement Rule of March 2006 allowed the OCR to take action against violators of HIPAA, although it did not issue its first penalty for a further 2 years.
Privacy advocates have criticized the lack of OCR enforcement in recent years, and while the volume of fines and investigations have increased, relatively few organizations that have been hit by data breaches – caused by HIPAA violations – have received financial penalties, although fines are expected to be issued for non-compliance when the second round of audits take place.
The delay does give covered entities a little breathing space to ensure that their policies and procedures are up to date ahead of the audits, but it would be ill advised for them to delay implementing measures to protect the privacy of patients and improve data security.
In the meantime, should a healthcare organization or health plan be hit with a data breach that exposes the PHI of its patients, and it is discovered that the breach resulted from HIPAA violations, heavy fines are likely to be issued which can run to millions of dollars.