In September 2015, the Department of Health and Human Services' (HHS's) Office of Inspector General (OIG), issued a report entitled, "OCR Should Strengthen Its Oversight of Covered Entities' Compliance With the HIPAA Privacy Standards." In its report, the OIG stated that the HHS Office for Civil Rights (OCR), which enforces HIPAA, "has not fully implemented the required audit program to proactively assess possible noncompliance from covered entities." The OIG recommended that OCR:
- fully implement a permanent audit program
- maintain full corrective action documentation
- create an efficient way to search for and track covered entities
- require OCR staff to determine whether covered entities have been investigated previously
- continue to expand outreach and education efforts
In a letter, dated Sept. 23, 2015, OCR concurred with each of the recommendations, and noted that it "will launch Phase 2 of our audit program in early 2016." The program will use both desk reviews of policies, as well as on-site inspections. It will also target specific common areas of noncompliance, and will target business associates. OCR also indicated that it will update its audit protocols. Read the full OIG report and OCR response.