Health Law Gurus

OCR Audits to Begin in 2016

Beginning in 2016, the United States Department of Health and Human Services’ Office for Civil Rights (OCR) will conduct another round of audits to gauge compliance with privacy provisions in the Health Insurance Portability and Accountability Act (HIPAA). This announcement comes in the wake of criticism leveled against OCR for inconsistencies enforcing the HIPAA Rules.

In an executive summary entitled “OCR Should Strengthen its Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards,” the United States Department of Health and Human Services’ Office of the Inspector General (OIG) criticized OCR for its failure to implement the required audit program in order to proactively assess possible noncompliance from covered entities. In a second executive summary, “OCR Should Strengthen its Followup of Breaches of Patient Health Information Reported by Covered Entities,” OIG determined that OCR was failing to ensure covered entities who experienced large data breaches documented corrective action. The report found that OCR did not record small-breach information in its case tracking system. OIG recommended that OCR develop a policy to check whether covered entities had been previously investigated. OIG recommended that OCR continue to expand outreach and education efforts to covered entities.

OCR responded to the criticism by announcing its plans to move forward with the “second phase” of its audit program in a September 23, 2015 letter to the Inspector General. In the letter, OCR revealed that it will conduct audits on covered entities beginning in early 2016. The audits will determine whether these entities are properly disclosing suspected breaches of protected health information (PHI) and whether they are appropriately protecting the privacy and physical security of PHI. The audits will focus on common areas of noncompliance, including the failure of organizations to conduct security risk assessments to identify and mitigate risks to PHI. Risks to PHI include exposed servers, unencrypted laptops, unchanged default passwords, outdated security software, and inadequate training.

The audits, which were mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH), will include both onsite visits and remote “desk reviews.” Inspectors will not only examine the current state of the audited entities, but what the entity has historically done to be compliant with the HIPAA Rules. The audits are designed to inform OCR on the areas in which to direct its enforcement and technical assistance. At present, OCR relies heavily on reports of privacy violations from the general public and self-reporting on data breaches.

In preparation for the audits, OCR will spend the coming months updating audit protocols, refining the pool of potential audit subjects, and implementing a screening tool to assess size, entity type, and other information about potential audit subjects. Although the size of the audit program is not yet clear, prior statements from OCR indicate that the audit program will likely include hundreds of entities.

As 2016 nears, covered entities and potential audit targets need to begin audit preparations. Organizations should conduct their own security risk assessments to evaluate the effectiveness of security controls used to protect PHI. Organizations should review HIPAA policy requirements and begin to compile records of previous audit reports and evaluations related to the implementation of the HIPAA security, privacy and breach notification standards. Audit targets should be prepared to provide this information to OCR for examination. Finally, organizations should develop an audit response plan that identifies the organization’s lead responder, provides a list of responsive documents, and prepares personnel to answer questions.

The Health Law Gurus™ will continue to monitor the implementation of OCR audits. Please check back with us for updates.