The Department of Health and Human Services Office for Civil Rights (“OCR”) continues to delay implementation of Phase 2 of its HIPAA Audit Program (“Phase 2”), which will build on OCR’s pilot audit program that concluded in 2012. In January, OCR Director Jocelyn Samuels reportedly stated that Phase 2 would be “implemented expeditiously.” However, during an April 15 session at the HIMSS 2015 Conference in Chicago, a regional official from OCR reportedly communicated that the audit program is still “under development.”
The 2015 audits will target both HIPAA-covered entities and their business associates. When originally announced, the Phase 2 audits were expected to be desk audits, though now it appears that OCR may also perform some audits onsite. The audits will focus on areas of heightened risk identified by OCR during its pilot program, which include compliance with the HIPAA Security Rule’s requirement to conduct security risk assessments.
OCR is also expected to issue new guidance for the Phase 2 audits, which may include updating its audit program protocol currently on the OCR’s website for covered entities and issuing new business associate protocols. Until additional guidance is issued, to prepare for a potential audit, covered entities and business associates should continue to monitor their HIPAA compliance and implementation efforts and consider the current OCR audit program protocol, which addresses elements of privacy, security, and breach notification. Topics of review are: (1) notice of privacy practices for HIPAA Protected Health Information (“PHI”), (2) individuals’ rights to request privacy protection for PHI, (3) individuals’ access to their own PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
The current protocol also covers Security Rule requirements for administrative, physical, and technical safeguards and requirements for the Breach Notification Rule. Thus, in addition to monitoring general HIPAA compliance, both covered entities and business associates should conduct regular security risk assessments and address potential HIPAA risks identified in such assessments.
In addition to its Phase 2 HIPAA audits, OCR will continue investigating complaints alleging violations of the HIPAA Privacy and Security Rules and may also investigate reports of high profile breaches. So far in 2015, OCR has not announced any settlements with covered entities or business associates.