Forced to respond to a stinging audit report recently released by the U.S. Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) that found less than effective enforcement of the HIPAA privacy standards, HHS’s Office for Civil Rights (OCR) will commence its long-awaited HIPAA audits in early 2016.

Ever since OCR completed its pilot audits in 2014, it has been widely expected that OCR would follow up with implementation of a permanent audit program, but this never happened despite announcements and audit preparations by OCR to launch the second phase of its audit program. In its report examining OCR’s oversight of covered entities’ compliance with the HIPAA Privacy Rule, OIG determined that OCR’s oversight has been primarily reactive - responding to complaints in the overwhelming number of its investigations rather than fully implementing an audit program to proactively identify and assess covered entities’ possible noncompliance with the privacy standards. 

Although the HITECH Act requirement for audits has been effective since early 2010, OCR has not fully implemented an audit program for covered entities. The concern is that covered entities (such as doctors, pharmacies, and health insurance companies) that do not adequately safeguard protected health information (PHI) (such as medical condition, prescriptions, or treatment history) could expose patients to an invasion of privacy, identity theft, or other harm. OIG’s primary corrective action recommendation was that OCR immediately fully implement a permanent audit program. With its feet to the fire, OCR has accepted this finding and undertaken to launch audits in early 2016.

With the initiation of OCR’s audit program fast approaching, potential targets must maintain readiness for audit examination because HIPAA noncompliance can be costly and disruptive to an organization, as previously discussed here.