HIPAA Compliance Audits Remain on HoldOCR Official Describes New Guidance in the Works
After a three-year delay, federal regulators remain tight-lipped about when the next round of HIPAA compliance audits will begin. But a variety of new HIPAA-related guidance is in the works, a government official says.
During an April 15 session at the HIMSS 2015 Conference in Chicago, a regional official from the Department of Health and Human Services' Office for Civil Rights told attendees the next phase of the random HIPAA audit program "is under development." Attorney Alessandra Swanson, an OCR team leader from the agency's Chicago office, declined to say whether there's a potential timeline for when OCR expects to kick off the next round of HIPAA audits, or what the program might look like.
OCR, which enforces HIPAA, had hoped to kick off phase two of its compliance audit program last fall, but officials last September revealed the program was being delayed. The culprit blamed at the time: technology that the agency said was still being rolled out at the agency that will allow OCR to collect audit-related documentation from covered entities and business associate via a Web portal (see HIPAA Compliance: What's Next?).
OCR also had a change in leadership last year. In July, Jocelyn Samuels was named the office's new director. Samuels, who was formerly acting assistant attorney general for the Civil Rights Division at the U.S. Department of Justice, replaced Leon Rodriguez, who was named director of U.S. Citizenship and Immigration Services, a unit of the Department of Homeland Security.
Privacy attorney Adam Greene, a partner at the law firm Davis Wright Tremaine, told Information Security Media Group in an interview at the HIMSS Conference that he believes the delay in various OCR enforcement activities, including the audit rollout, could be related to tight OCR resources, as well as the new leadership settling in.
But OCR appears to be staffing up for the audit program. In an announcement posted last week by HHS, the agency said it had open a "compliance specialist - auditing" position available within its Washington headquarters.
"This position serves as the senior auditing subject matter expert who provides leadership, oversight, coordination and advice necessary to design, plan and execute an audit program of covered entity and business associate compliance with the HIPAA privacy, security and breach notification rules," the job posting said.
OCR officials in recent months have said the agency also is working on updating its audit protocol for covered entities and creating a new audit protocol for business associates. BAs became directly liable for compliance under the HIPAA Omnibus Rule last year and are subject to OCR enforcement actions, including financial penalties that range up to $1.5 million per HIPAA violation.
In addition to preparing for resuming the random HIPAA compliance audit program, OCR is working on new guidance, including material relating to business associates; the breach notification rule as well as a breach assessment tool; the use of protected health information for marketing; the "minimum necessary" standard for data; and HIPAA Security Rule compliance updates, Swanson says.
In addition, OCR is continuing breach investigations and rule-making.
"Our goal is, and has always been to get entities into compliance," Swanson says. "I know that our enforcement cases get a lot of attention, but when you look at the number of enforcement cases versus those that are resolved with technical assistance and corrective actions, you'll see that we always try to go the compliance route first. "We're interested in getting everyone into compliance; we're not out there trolling for enforcement cases."
OCR is anticipating receiving 15,000 to 17,000 HIPAA complaints in 2015, she says. All health data breaches affecting more than 500 individuals are investigated by the agency, she says. Although there have been no enforcement actions involving monetary settlements with business associates, Swanson says the agency is current investigating a number of breaches involving BAs.
Greene, a former OCR official, says he expects the first HIPAA settlements between OCR and business associates to come later this year or in 2016.
Among the rule-making activities that OCR has under way is an update to a proposal for an accounting of disclosures rule, which was mandated under the HITECH Act. OCR in May 2011 issued a notice of proposed rule-making for updating accounting of disclosures requirements under HIPAA. The proposal generated hundreds of complaints from healthcare providers and others. Many of the complaints were aimed at a controversial new "access report" provision (see EHR Access Report Objections Pour In).
Federal advisers have suggested that OCR and its sister HHS agency, the Office of the National Coordinator for Health IT, launch pilots to test technical capabilities supporting accounting of disclosures involving PHI from electronic health record systems before a final rule is issued.
OCR is also creating a way to share with victims a portion of the financial penalties it collects from HIPAA settlements, Swanson says. Also, a final rule from OCR for the National Instant Criminal Background Check System is being reviewed by the Office of Management and Budget.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.