It is not a well-known fact that one of the provisions of HITECH Act requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules, as well as with HIPAA Breach Notification standards. To implement this mandate, OCR ran a pilot program from November 2011 to December 2012. The results of this pilot were used to evaluate and verify the program’s effectiveness and further improve the audit program design and entity selection process.
The main purpose behind this program was to identify best practices as well as discover other risks and vulnerabilities that have not been previously addressed through the official complaint process. OCR has made this information available to the public. Only 11 % of Covered Entities were in full compliance.
The most issues were discovered with the smallest providers experiencing the greatest number of violations. The cause for the majority of the violations was that the entity was unaware of the requirements. This falls under the ‘did not know’ tier of penalties. Additionally, other causes leading to a violation were:
- Lack of application of policies and procedures,
- Incomplete implementation or required components, and
- Complete disregard of the HIPAA regulations.
Phase II of HIPAA Compliance Audit Program
Due to less than satisfactory results revealed on the part of small providers, the program was expanded into Phase II. While there is no set start date that has been announced at this time, the second phase of audits is scheduled to begin in the fall of 2015 and continue into 2016.
Phase II will likely result in compliance reviews among providers nationwide. According to the OCR report, the audits will focus on covered entities and compliance in the following areas:
- Security risk analysis and management
- Breach notifications
- Notice of privacy practices issues
In 2015 -2016 covered entities will be audited on device and media controls, transmission security, privacy safeguards, and compliance with workforce training requirements.
2016 is projected to be the year when audits will focus on encryption and decryption, facility access controls, and other areas of high risk that were identified during the previous phase.
Please visit our blog to read the latest news about Phase II of HIPAA Compliance Audit Program.