The Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) Jocelyn Samuels recently stated that the OCR has still not finalized the audit procedures for the much anticipated “Phase Two” HIPAA audits.
These audits, once they begin, will include both covered entities and business associates. Ms. Samuels declined to provide a date for when the OCR plans to commence the audits, but promised they would begin “expeditiously.”
The American Recovery and Reinvestment Act of 2009 (ARRA) requires the OCR to audit covered entities and business associates for compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. The OCR conducted random pilot (“Phase One”) audits in 2011 and 2012 on 115 covered entities. The Phase One audits did not include business associates. The audits required the audited covered entities to provide documentation of their privacy and security compliance efforts. In addition, every audit included a site visit where the OCR interviewed covered entity personnel and observed the covered entity’s processes and operations to determine if the covered entity was in compliance with HIPAA’s requirements.
The Phase Two audits were originally scheduled to begin in the fall of 2014. However, the audits have been continually delayed due to funding and staffing shortages. Ms. Samuels stated the OCR is still developing the audit protocols and encouraged entities to check the OCR’s website for updates on when the audits will commence.
The further delay in the HIPAA audits provides covered entities and business associates with additional time to ensure their HIPAA policies and procedures are in compliance. For example, covered entities and business associates should enter into business associate agreements where needed and update existing agreements for compliance with the Omnibus HIPAA Final Rule. Covered entities should also review their Notice of Privacy Practices for compliance. Don’t forget that it is not enough just to have the appropriate policies and procedures — workforce members must also be trained on the policies and procedures and this training must be documented.
In addition, both covered entities and business associates should conduct a thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by the covered entity or business associate. Note that in the Phase One audits, 60% of the findings and observations were based on the Security Rule and 58 out of 59 audited health care providers had at least one Security Rule finding or observation. Furthermore, the audits revealed that two thirds of the audited entities had not conducted a complete and accurate risk assessment.