Kusserow’s Corner: OCR to Resume HIPAA Audits

In a Federal Register Notice published on February 24, the HHS Office of Civil Rights (OCR) announced that it will resume its HIPAA compliance audit program. The 2014 program will cover both covered entities and business associates and will begin with a survey of 1,200 organizations as a first step toward selecting those to be audited. The Notice stated that the OCR would be accepting comments on its plan until April 25, 2014.

It is important to note that all those surveyed will not be audited. The OCR will draw from the surveyed entities a select number that will actually undergo an audit. Approximately two-thirds of those surveyed will be covered entities, and the remainder business associates. The survey “will gather information about respondents to enable OCR to assess the size, complexity and fitness of a respondent for an audit,” according to the Notice. “Information collected includes, among other things, recent data about the number of patient visits or insured lives, use of electronic information, revenue and business locations.”

Previously, in 2012, OCR conducted a pilot HIPAA audit program involving 115 covered entities, which was carried out by a contractor. This time, OCR intends to do the work internally. It is not clear whether the program will be will be run by the regional OCR offices or from their Washington, DC headquarters. In all likelihood, both will be involved. In the pilot project, security risk assessment was highlighted as a weakness and will likely be a key element in the audits. The lack of a comprehensive security risk assessment has also been a frequent finding from the breach investigations by OCR.

OCR is also “revising the protocol [for the next round of audits] to reflect changes brought by the 2013 HIPAA Omnibus Final Rule.”

To prepare for the upcoming OCR audits, covered entities and business associates should ensure that:

  1. HIPAA leadership has been established, including the appointment of a Security Officer and/or Privacy Officer;
  2. Privacy, Security and Breach Notification policies and procedures have been updated to comply with the HIPAA Omnibus Final Rule;
  3. Workforce members have received training on their responsibilities under the HIPAA Privacy, HIPAA Security and Breach Notification Rules;
  4. A comprehensive evaluation has been conducted of the organization’s compliance with the applicable HIPAA and Breach Notification requirements; and
  5. A formal risk assessment has been conducted on the threats and vulnerabilities to confidentiality, integrity and availability of the organization’s electronic protected health information.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Copyright © 2014 Strategic Management Services, LLC. Published with permission.

Trackbacks

  1. […] The OCR concurred with all recommendations and described its activities to address them. This is one of several reports relating to OCR oversight of HIPAA. In another report, the OIG found that the OCR did not meet other federal requirements critical to the oversight and enforcement of the HIPAA Security Rule. The takeaway from this is that the OCR may be expected to step up its audits of covered entities. For more on this topic including tips on how to be prepared for such audits, see “OCR to resume HIPAA audits.” […]