HIPAA Audits Now Focused On Enforcement

Due to widespread noncompliance with the HIPAA Security Rule, the next phase of HIPAA audits will focus on electronic protected health information (e-PHI) security. Although this shouldn’t catch anyone off guard, the HHS OCR expects these audits to result in increased penalties for violations. Health care providers and their business associates, who are subject to the Security Rule, need to review the status of their HIPAA Security Rule compliance in preparation for this upcoming wave of HIPAA enforcement.

Originally, the OCR planned for most audits to consist of desk audits. However, the OCR now intends to do a larger number of comprehensive on-site audits and fewer than 200 desk audits, down from the originally planned 400 desk audits.

Unlike the OCR’s 2012 HIPAA pilot audit program that was focused on assessment and information collection, OCR officials have made it clear they intend to use this round of audits as an enforcement tool.

Given the widespread failures identified during the last round of audits, OCR’s next audit phase will likely target risk assessments, and may focus on whether and how entities have employed data encryption. Health care providers and their business associates need to ensure that their Security Rule compliance program is up to date. Among the action steps that should be considered to prepare for a possible audit are the following:

  1. Update Security Rule Risk Analysis, Policies, and Procedures. Ensure your risk assessment, risk management plan, and accompanying policies and procedures are current and compliant. Responsive materials provided during the Phase II audits must be current as of the date of the request, not the submission.
  2. Watch Your E-mail. OCR will be sending pre-audit surveys, audit notifications and document requests through e-mail or other electronic media. You will have only two weeks to respond to data requests. Failure to submit a response to a request may lead to a referral for regional compliance review.

If you’re concerned about the status of your HIPAA compliance plan or need an updated risk assessment call ITPAC today to set up a consultation.