HHS shares HIPAA audit plans
Beth Walsh | March 22, 2016 | Health Exec | Cybersecurity

After much delay, the Department of Health and Human Services Office for Civil Rights (OCR) has initiated the second phase of its HIPAA Audit Program.

Speaking at the 24th National HIPAA Summit in the District of Columbia, OCR Director Jocelyn Samuels said this next phase will comprise more than 200 desk and on-site audits. OCR has developed an audit-specific portal to enable notified entities to submit requested documentation digitally, she said.

Desk audits will make up the first two rounds of audits, Samuels said. The first round will focus on covered entities, according to an OCR announcement, and the second round of will focus on business associates. All desk audits will be completed by December. For each of the desk audits, OCR will look at compliance with particular provisions of the privacy security and breach notification rules.

Audits are "a critical tool for us," Samuels said. "We don't intend it to be a punitive mechanism. We do intend to use it to enable us to get out in front of the kinds of problems that have led to the breach reports that we have received."

Examining different sectors, geographic regions and organization size will help OCR evaluate risks before they "ripen" into breaches, she said. "We don't necessarily get to see these things through the complaints we receive, and by the time we get a breach report, it's too late to prevent a problem. We really do look at this as a valuable way for us to get out in front of potential problems and to direct our guidance to the issues that we see occurring in ways that we hope will be more useful to the regulated community."

Address verification letters starting going out this week and will be followed with a questionnaire.

"Once we get the results of the questionnaire back, we will do a sampling of entities based on a host of factors, including size, including the nature of the business, including a balance between covered entities and business associates, including regions of the country," Samuels said. "What we really want to do is use this to get a sense of whether there are systemic structural issues that we can do a better job of addressing."

Every covered entity and business associate is eligible for an audit, according to the notice.

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Related Content

Six hospital groups urge UnitedHealth to take responsibility for Change Healthcare hack notifications
Ascension experiences disruption of operations after 'cybersecurity event'
AMA says Change Healthcare breach is crippling independent practices
Breached Change Healthcare server lacked multifactor authentication, UnitedHealth CEO admits
Kaiser Permanente exposed data on 13.4 million members to tech companies
Hackers were inside Change Healthcare’s systems 9 days before attack

Design by Adaptive Theme
Trimed Popup
Trimed Popup