HIPAA Audits a Step Closer to ResumingParticipating Organizations to Be Selected Soon
The Department of Health and Human Services' Office for Civil Rights is gearing up to resume its HIPAA compliance audit program this year, and auditors will examine business associates as well as covered entities.
"Hopefully in coming months you'll see actual activity that will start up on the audit process," Susan McAndrew, OCR deputy director for health information privacy, said Feb. 24 at the 2014 HIMSS Conference.
OCR soon will launch a survey of 1,200 organizations as a first step toward selecting those to be audited.
After her HIMSS presentation, McAndrew told Information Security Media Group that the organizations to be surveyed were selected from "a large database," and the survey seeks to verify if the entity is a suitable candidate for a HIPAA audit. "For instance, is the organization still in business? Is the organization the healthcare entity indicated by the database?"
The 1,200 organizations that will be surveyed "is an oversupply," because not all the survey participants will end up being suitable candidates for audits she says, declining to say how many organizations are likely to be actually audited.
An OCR spokesperson says the survey will target approximately 800 covered entities and 400 business associates.
In a Feb. 24 notice in the Federal Register, OCR explains that it will survey "up to 1,200 HIPAA covered entities, including health plans, healthcare clearinghouses and certain healthcare providers, and business associates, to determine suitability for the OCR HIPAA audit program."
The survey "will gather information about respondents to enable OCR to assess the size, complexity and fitness of a respondent for an audit," according to the notice. "Information collected includes, among other things, recent data about the number of patient visits or insured lives, use of electronic information, revenue and business locations."
In 2012, OCR conducted a pilot HIPAA audit program involving 115 covered entities that was carried out by a contractor, the consulting firm KPMG. Instead of hiring a contractor for the next round of audits, however, OCR plans to "in-source" the audits, McAndrew said.
Privacy attorney Adam Greene, a partner at law firm David Wright Tremaine, questions whether OCR will carry out the audits by training existing staff and/or hiring new auditors, and whether those activities will be carried out from regional OCR offices or the central office.
Among the areas likely to be a focus of OCR examinations in 2014 is whether organizations have conducted a timely and thorough HIPAA security risk assessment, because that was a common weak spot found across the board in the pilot audit program as well as in previous breach investigations, McAndrew said.
OCR is also "revising the protocol [for the next round of audits] to reflect changes brought by the HIPAA Omnibus Rule, which went into effect last year," she said.
McAndrew declined to say when in 2014 the audits are likely to resume.
The Federal Register notice indicates that HHS is accepting comments on its plans for the survey until April 25.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.