Plans to launch some onsite HIPAA compliance audits are now on hold while the agency that enforces HIPAA completes more than 200 desk audit reports, says Deven McGraw, deputy director of the Department of Health and Human Services' Office for Civil Rights.
"We have delayed when we are going to start the onsite audits," McGraw says in an exclusive interview at the HIMSS17 conference in Orlando Feb. 20. "We have decided that it makes a lot more sense to [first] take a look at all we had in the desk audit process and even prepare the overarching report to the public about how those desk audits went."
The timeline for onsite audits, however, could change because HHS now has a new secretary, Tom Price, she acknowledges. "We're interested in talking to him about the audit program and getting his input into how it's going to be conducted, but we're very far along with the desk audits and we're eager to finish those up. In terms of the delay, it's really about not taking on more than we can chew, frankly. It's an enormous, resource-intensive effort, even with contractor help ... and we want to make sure we do it right."
McGraw says OCR hopes to begin the onsite audits by the end of this year, but they "may slip into 2018."
Late last year, McGraw had indicated a "smaller number" of onsite HIPAA audits would begin in the first quarter of 2018
Desk Audit Update
In its current round of HIPAA audits, launched last year, OCR has conducted remote desk audits on 166 covered entities with another 44 ongoing at business associates, McGraw explains.
The HIPAA enforcement office expects to begin finalizing reports on the CE audits, to be shared with each organization, in the next few weeks, followed by the drafting of reports on the BA audits, she says. Then OCR will issue a public report summarizing all the results.
"The commitment I'm making to folks is to be transparent about where we are in the process and to give folks a better estimate as soon as we can," she says.
In the interview (see audio link below photo), McGraw also discusses:
- New guidance in the works at OCR, including an "anatomy of a case" that gives an overview on the breach investigation process as well as the results, such as calculating settlement amounts or civil monetary penalties;
- OCR's plans to continue its aggressive HIPAA enforcement activities in 2017 at the same brisk pace as last year, and lessons to be learned from those cases;
- How President Trump's recent executive order that calls for eliminating two existing regulations for every new regulation issued could affect HHS;
- OCR's work with the Food and Drug Administration related to the cybersecurity of medical devices;
- Her new role as interim chief privacy officer at OCR's sister agency, the Office of the National Coordinator for Health IT.
Before joining OCR in 2015, McGraw was a partner at the law firm Manatt, Phelps & Phillips LLP, where she co-chaired its privacy and data security practice. Earlier, she was director of the health privacy project at the Center for Democracy & Technology, a consumer advocacy group. For six years, McGraw served as an adviser to HHS on health data privacy and security issues.