Exclusive: OCR's McGraw on Timing of HIPAA AuditsDescribes Steps Remaining Before Program Resumes Next Year
In her first news media interview since joining the Department of Health and Human Services' Office for Civil Rights as deputy director of health information privacy, Deven McGraw describes plans to relaunch random HIPAA audits next year.
The next phase of audits will begin after OCR submits information about its plans for public comment late this year or early in 2016, she says in this exclusive interview with Information Security Media Group. OCR has hired FCi Federal to help with the project.
"We need contractor help to deploy this because our staff is so small," McGraw notes, adding that it's "premature" to say how the audit work will be divided between FCi Federal and OCR personnel.
An OCR spokeswoman tells ISMG: "FCi Federal will be providing temporary staffing and subject matter expertise to assist OCR with the audit." Information about the contract posted on the Federal Procurement Data System site operated by the General Services Administration indicates FCi Federal's contract is valued at nearly $769,000 and runs until Dec. 31, 2016.
OCR is now working on a new protocol for the audits, which will be narrower in scope than those conducted during the pilot round of 115 audits in 2011 and 2012, McGraw says in an interview conducted at an annual HIPAA security conference in Washington, D.C., hosted by OCR and the National Institute of Standards and Technology.
"We're not going to try looking at everything," she says. "We're going to be a bit more focused at some key areas of interest, and are likely to do more examination of policies of organizations and not necessarily do full-site visits for all of them. The full-site audit, while it can be very effective, is very expensive."
McGraw says one of the biggest challenges she faces in her new role is the relatively small staff at OCR.
"I have great staff, but have too few for the dream that I have for this office," she acknowledges. "That requires an assessment of what can we do, how can we be more strategic, what are the things we need to prioritize versus what's the entire wish list. I don't want things to ever come off the wish list, but at the end of the day, I will always be challenged about how to be effective and efficient with less than I would like. But that's probably true for a lot of the covered entities and business associates that I regulate. So I feel their pain."
In this in-depth interview (audio link below photo), McGraw also discusses:
- The status of various rule-making efforts, including the long-overdue accounting of disclosures rule, which is mandated by the HITECH Act, as well as a rule concerning how money from financial penalties collected for HIPAA enforcement cases should be shared with victims of breaches;
- Lessons the healthcare sector should learn from the recent string of cyber-attacks targeting the industry;
- Breach investigations and other enforcement activities underway at OCR;
- Outreach and educational materials in the works, including guidance pertaining to patients accessing their own health information.
Before joining OCR in late June, McGraw was a partner at the law firm Manatt, Phelps & Phillips LLP, where she co-chaired its privacy and data security practice. Earlier, she was director of the health privacy project at the Center for Democracy & Technology, a consumer advocacy group. For six years, McGraw also served as an adviser to HHS on health data privacy and security issues. She served on the Health IT Policy Committee, which advises HHS' Office of the National Coordinator for Health IT on policies, and co-led the committee's Privacy and Security Workgroup - previously called the Privacy and Security Tiger Team - as well as its Information Exchange Workgroup.