HHS shares HIPAA audit plans

After much delay, the Department of Health and Human Services Office for Civil Rights (OCR) has initiated the second phase of its HIPAA Audit Program.

Speaking at the 24th National HIPAA Summit in the District of Columbia, OCR Director Jocelyn Samuels said this next phase will comprise more than 200 desk and on-site audits. OCR has developed an audit-specific portal to enable notified entities to submit requested documentation digitally, she said.

Desk audits will make up the first two rounds of audits, Samuels said. The first round will focus on covered entities, according to an OCR announcement, and the second round of will focus on business associates. All desk audits will be completed by December. For each of the desk audits, OCR will look at compliance with particular provisions of the privacy security and breach notification rules.

Audits are "a critical tool for us," Samuels said. "We don't intend it to be a punitive mechanism. We do intend to use it to enable us to get out in front of the kinds of problems that have led to the breach reports that we have received."

Examining different sectors, geographic regions and organization size will help OCR evaluate risks before they "ripen" into breaches, she said. "We don't necessarily get to see these things through the complaints we receive, and by the time we get a breach report, it's too late to prevent a problem. We really do look at this as a valuable way for us to get out in front of potential problems and to direct our guidance to the issues that we see occurring in ways that we hope will be more useful to the regulated community."

Address verification letters starting going out this week and will be followed with a questionnaire.

"Once we get the results of the questionnaire back, we will do a sampling of entities based on a host of factors, including size, including the nature of the business, including a balance between covered entities and business associates, including regions of the country," Samuels said. "What we really want to do is use this to get a sense of whether there are systemic structural issues that we can do a better job of addressing."

Every covered entity and business associate is eligible for an audit, according to the notice.

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.