HHS shares HIPAA audit plans

After much delay, the Department of Health and Human Services Office for Civil Rights (OCR) has initiated the second phase of its HIPAA Audit Program.

Speaking at the 24th National HIPAA Summit in the District of Columbia, OCR Director Jocelyn Samuels said this next phase will comprise more than 200 desk and on-site audits. OCR has developed an audit-specific portal to enable notified entities to submit requested documentation digitally, she said.

Desk audits will make up the first two rounds of audits, Samuels said. The first round will focus on covered entities, according to an OCR announcement, and the second round of will focus on business associates. All desk audits will be completed by December. For each of the desk audits, OCR will look at compliance with particular provisions of the privacy security and breach notification rules.

Audits are "a critical tool for us," Samuels said. "We don't intend it to be a punitive mechanism. We do intend to use it to enable us to get out in front of the kinds of problems that have led to the breach reports that we have received."

Examining different sectors, geographic regions and organization size will help OCR evaluate risks before they "ripen" into breaches, she said. "We don't necessarily get to see these things through the complaints we receive, and by the time we get a breach report, it's too late to prevent a problem. We really do look at this as a valuable way for us to get out in front of potential problems and to direct our guidance to the issues that we see occurring in ways that we hope will be more useful to the regulated community."

Address verification letters starting going out this week and will be followed with a questionnaire.

"Once we get the results of the questionnaire back, we will do a sampling of entities based on a host of factors, including size, including the nature of the business, including a balance between covered entities and business associates, including regions of the country," Samuels said. "What we really want to do is use this to get a sense of whether there are systemic structural issues that we can do a better job of addressing."

Every covered entity and business associate is eligible for an audit, according to the notice.

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."

Trimed Popup
Trimed Popup